Page MenuHomeVyOS Platform
Create Task
Maniphest T434

RADIUS as l2tp vpn authentication mode is broken
Closed, ResolvedPublicBUG
Actions

Description

Using VyOS 999.201709092137 I'm not able to use RADIUS aus my authentication backend for L2TP VPN.

This gives the following error during a connection attempt:

Oct 27 17:48:26 AC1 xl2tpd[2419]: Connection established to xxx.xxx.185.181, 52081.  Local: 51934, Remote: 7 (ref=0/0).  LNS session is 'default'
Oct 27 17:48:26 AC1 xl2tpd[2419]: Call established with xxx.xxx.185.181, Local: 34544, Remote: 679, Serial: 1
Oct 27 17:48:26 AC1 pppd[4907]: pppd 2.4.6 started by root, uid 0
Oct 27 17:48:26 AC1 zebra[1525]: interface ppp0 index 12 <POINTOPOINT,NOARP,MULTICAST> added.
Oct 27 17:48:26 AC1 pppd[4907]: Connect: ppp0 <--> /dev/pts/1
Oct 27 17:48:29 AC1 zebra[1525]: interface ppp0 mtu changed from 1500 to 1400
Oct 27 17:48:29 AC1 pppd[4907]: rc_read_dictionary: couldn't open dictionary /etc/radiusclient-ng/dictionary.merit: No such file or directory
Oct 27 17:48:29 AC1 pppd[4907]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary-ravpn
Oct 27 17:48:29 AC1 pppd[4907]: Peer <user> failed CHAP authentication
Oct 27 17:48:29 AC1 pppd[4907]: Modem hangup
Oct 27 17:48:29 AC1 pppd[4907]: Connection terminated.
Oct 27 17:48:45 AC1 xl2tpd[2419]: Connection established to xxx.xxx.185.181, 58644.  Local: 44906, Remote: 8 (ref=0/0).  LNS session is 'default'
Oct 27 17:48:45 AC1 xl2tpd[2419]: Call established with xxx.xxx.185.181, Local: 5753, Remote: 681, Serial: 1
Oct 27 17:48:45 AC1 pppd[5482]: pppd 2.4.6 started by root, uid 0
Oct 27 17:48:45 AC1 pppd[5482]: Connect: ppp0 <--> /dev/pts/1
Oct 27 17:48:48 AC1 pppd[5482]: rc_read_dictionary: couldn't open dictionary /etc/radiusclient-ng/dictionary.merit: No such file or directory
Oct 27 17:48:48 AC1 pppd[5482]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary-ravpn
Oct 27 17:48:48 AC1 pppd[5482]: Peer <user> failed CHAP authentication
Oct 27 17:48:48 AC1 pppd[5482]: Modem hangup
Oct 27 17:48:48 AC1 pppd[5482]: Connection terminated.

Configuration is straight forward:

cpo@AC1# show vpn l2tp remote-access authentication
 mode radius
 radius-server <server> {
     key <secret>
 }

To double-check my radius connectivity I installed the FreeRADIUS client utilities (freeradius-utils) and performed a simple radtest which resulted in:

# radtest -4 <user> <pass> <radius-server> 0 <secret>
Sending Access-Request of id 154 to <radius-server> port 1812
        User-Name = "<user>"
        User-Password = "<pass>"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host <radius-server> port 1812, id=154, length=78
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class = 0xfoofooofoofoofoofoofoo

It can be ensured that the connectivity is working!

Details

Difficulty level
Normal (likely a few hours)
Version
999.201709092137
Why the issue appeared?
Issues in third-party code

Event Timeline

c-po created this task.Oct 27 2017, 4:37 PM
c-po updated the task description. (Show Details)
syncer added a subscriber: syncer.Oct 27 2017, 4:44 PM
Oct 27 17:48:48 AC1 pppd[5482]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary-ravpn

i think that file not created or created in wrong place with wrong name

c-po added a comment.Oct 27 2017, 6:19 PM

On VyOS 1.1.7 we have /etc/radiusclient-ng/dictionary.merit which moved to /usr/share/freeradius/dictionary.merit on VyOS 1.2.x.

In addition we have /opt/vyatta/etc/ravpn/radius-dictionary.microsoft which is somehow copied to /etc/radiusclient-ng/dictionary.microsoft, but there is now also /usr/share/freeradius/dictionary.microsoft.

Switching to /usr/share/freeradius/dictionary.microsoft brings

Oct 27 20:17:03 AC1 pppd[8332]: rc_read_dictionary: invalid type on line 12 of dictionary /usr/share/freeradius/dictionary.microsoft

So using the old /etc/radiusclient-ng/dictionary.microsoft has another issue ...

Oct 27 20:18:50 AC1 pppd[8376]: rc_avpair_new: unknown attribute 6
Oct 27 20:18:50 AC1 pppd[8376]: rc_avpair_new: unknown attribute 7
Oct 27 20:18:50 AC1 pppd[8376]: rc_avpair_new: unknown attribute 1
Oct 27 20:18:50 AC1 pppd[8376]: rc_avpair_new: unknown attribute 4

.. digging into it ...

pasik added a subscriber: pasik.Oct 27 2017, 10:00 PM
c-po added a comment.Nov 12 2017, 3:57 PM
This comment was removed by c-po.
c-po added a comment.Dec 1 2017, 4:47 PM

Fixed in

c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.Dec 1 2017, 4:57 PM
c-po closed this task as Resolved.Dec 9 2017, 2:56 PM
c-po claimed this task.
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.Oct 3 2018, 2:14 PM
syncer added a project: VyOS-1.2.0-GA.Oct 15 2018, 10:42 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Oct 15 2018, 10:42 PM