В данной статье приведен пример настройки клиента OpenVPN(tunnel openvpn), подключаемого к серверу OpenVPN(remote-access openvpn), с использованием Radius для аутентификации подключения клиента.
Конфигурация сервера OpenVPN
object-group service openvpn
port-range 1194
exit
aaa authentication login radius_list radius
radius-server host 192.168.0.1
key ascii-text <password_radius>
exit
no spanning-tree
security zone OpenVPN
exit
security zone untrusted
exit
interface gigabitethernet 1/0/1
description "to_freeradius"
security-zone OpenVPN
ip address 192.168.0.10/24
exit
interface gigabitethernet 1/0/2
description "to_WAN"
security-zone untrusted
ip address 192.0.2.1/30
exit
security zone-pair OpenVPN self
rule 1
action permit
enable
exit
exit
security zone-pair OpenVPN OpenVPN
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match destination-port object-group openvpn
enable
exit
rule 2
action permit
match protocol icmp
enable
exit
exit
remote-access openvpn test
network 172.16.1.0/24
protocol udp
tunnel ip
encryption algorithm aes128
authentication algorithm sha
login authentication radius_list
crypto ca ca.crt
crypto dh dh.pem
crypto private-key server_openvpn.key
crypto cert server_openvpn.crt
security-zone OpenVPN
enable
exit
ip route 0.0.0.0/0 192.0.2.2
esr# show remote-access status openvpn
User IP-address Server
---------------- --------------- --------------------------------------
client 172.16.1.6 openvpn(test)
Count sessions: 1
В конфигурации remote-access openvpn команда login authentication <> используется для отправки запроса на аутентификацию от клиента OpenVPN на Radius.
Конфигурация клиента OpenVPN
interface gigabitethernet 1/0/1 ip firewall disable ip address 192.168.20.1/24 exit tunnel openvpn 1 ip firewall disable remote address 192.0.2.1 port 1194 protocol udp tunnel ip encryption algorithm aes128 authentication algorithm sha crypto ca ca.crt crypto private-key client_openvpn.key crypto cert client_openvpn.crt username <username> password <password> enable exit ip route 0.0.0.0/0 192.168.20.254
В конфигурации tunnel openvpn значения <username> и <password> используются для аутентификации на Radius
Пример минимальной конфигурации Radius
root@comp:~# cat /etc/freeradius/clients.conf
client 192.168.0.10 {
secret = <password_radius>
shortname = esr
}
root@comp:~# cat /etc/freeradius/users
<username> Cleartext-Password := "<password>"
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15"
Проверка с помощью Wireshark успешной аутентификации на Radius(ip 192.168.0.1)
