How to setup a proxy radius server (FreeRadius 3)

Question

I am trying to setup a proxy Freeradius server that forwards all requests to another Freeradius server.

For reference see the following picture:

The reason for this setup is I want users to be to onnect to the local LAN via VPN, but the local site is not accessible due to NAT implementet at the ISP.

I am however able to make a site2site VPN connection from local LAN to the VPN server, so I want users to be able to make a VPN connection to the local network via the public VPN server, provided they are a valid user on the local net.

I have a Freeradius server running on local LAN that validates users against a database - and that part is working fine.

Configuration VPN server side

As far as I understand the only thing I need to modify on the server is the file proxy.conf.

Assuming usernames logging onto the VPN is on the form users@example.com then I would only need to add the following entry to proxy.conf:

realm example.com {
    type = radius
    secret = VeryS3cretPassw0rd

    authhost = local-radius.example.com:1812
    accthost = local-radius.example.com:1813

    nostrip
}

The nostrip entry is making sure that the proxied request does not remove the @-postfix from username.

I would also need to add the following to /etc/hosts:

   # VPN Address of local-radius.example.com
 
   192.168.100.2   local-radius.example.com

Configuration local radius server side

On the local radius server I need to update client.conf so any queries to the local radius server and originating from the VPN ip adress is permittet. Like for instance this entry:

client vpn-net {

        # Allow requests originating from VPN subnet.

        ipaddr          = 192.168.100.0/24
        secret          = VeryS3cretPassw0rd
}

Running the following command on VPN server works as expected:

radtest -t mschap user@example.com SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd

I get the following response back:

Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148
        User-Name = "user@example.com"
        MS-CHAP-Password = "SecretPassword "
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ....
        MS-CHAP-Response = ...
Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84
        MS-CHAP-MPPE-Keys = ...
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4

However running the following command on the VPN server fails:

radtest -t mschap user@example.com SecretPassword localhost:18120 0 testing123

The output from the command is:

Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148
        User-Name = "user@example.com"
        MS-CHAP-Password = "SecretPassword"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ...
        MS-CHAP-Response = ...
Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20
(0) -: Expected Access-Accept got Access-Reject

Running the command freeradius -X on VPN server gives among others this output:

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "user@example.com"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user user@example.com to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0)     [suffix] = updated
(0) ntdomain: Request already has destination realm set.  Ignoring
(0)     [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) There was no response configured: rejecting request

Monitoring freeradius on local net indicates that the server was never called, from the vpn server, so what am I missing?

Answer 1

I am not quite sure what happened, but after doing a complete reinstall of Freeradius on the server there were no problem with proxying the request.

For simplicity you can just point the proxy server towards the VPN ip address of the local radius server and that is basically it.

Assuming you have a clean install of Freeradius, then you would only need to modify proxy.conf with the following setup:

realm example.com {
    type = radius
    secret = VeryS3cretPassw0rd

    # Connect to the VPN IP adress of local radius server.
    authhost = 192.168.100.2:1812
    accthost = 192.168.100.2:1813

    nostrip
}

Also when testing user login with radtest: Do not test against localhost:18120 as you are only testing against local user on the VPN due to it is mapped against the inner-tunnel virtual server.

You should instead test against localhost:1812 as it is mapped against the default virtual server.

Testing against the proxy server gave me among others the following output from freeradius -x

(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "user@example.com"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user user to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0)     [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Starting proxy to home server 192.168.100.2 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 192.168.100.2 port 1812 timeout 14.000000
(0) Sent Access-Request Id 191 from 127.0.0.1:45143 to 192.168.100.2:1812 length 142
(0)   User-Name = "user"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = ...
(0)   MS-CHAP-Challenge = ...
(0)   MS-CHAP-Response = ...
(0)   Event-Timestamp = "May 24 2021 17:18:40 CEST"
(0)   Proxy-State = 0x313133
Waking up in 0.3 seconds.
(0) Marking home server 192.168.100.2 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 191 from 192.168.100.2:1812 to 192.168.100.1:45143 length 89
(0)   MS-CHAP-MPPE-Keys = ...
(0)   MS-MPPE-Encryption-Policy = Encryption-Required
(0)   MS-MPPE-Encryption-Types = 4
(0)   Proxy-State = 0x313133

Important closing remarks

It appears that the way proxying works is changing with each major revision of Freeradius.

The syntax I used is compatible with version 2 of Freeradius, but considered obsolete in version 3. Here the recommended way is to point the realms against home_server_pools which in turn points towards a pool of one or more home_servers.

Though obsolete - it still works with version 3. :-)

However: In Freeradius version 4 everything has changed again when setting up a proxy server and as such we need to learn a new way of configuring the server.

For more information. Please go to this link:

https://wiki.freeradius.org/upgrading/version4/proxy