From b5e617c55ed349551aabf4f39bb257d6e4fef85e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 4 Oct 2018 09:42:45 +0200 Subject: VPN: add RADIUS authentication backend for L2TP/IPSec --- docs/ch09-vpn.rst | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docs/ch09-vpn.rst b/docs/ch09-vpn.rst index 953a918f..d596db6e 100644 --- a/docs/ch09-vpn.rst +++ b/docs/ch09-vpn.rst @@ -299,6 +299,40 @@ operational command. ---- ----- ----- --------- ------- ------- ---- vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s +RADIUS authentication +^^^^^^^^^^^^^^^^^^^^^ + +The above configuration made use of local accounts on the VyOS router for +authenticating L2TP/IPSec clients. In bigger environments usually something +like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used. + +VyOS supports either `local` or `radius` user authentication: + +.. code-block:: sh + + set vpn l2tp remote-access authentication mode + +In addition one or more RADIUS_ servers can be configured to server for user +authentication. This is done using the `radius-server` and `key` nodes: + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius-server 1.1.1.1 key 'foo' + set vpn l2tp remote-access authentication radius-server 2.2.2.2 key 'foo' + +**NOTE:** Some RADIUS_ severs make use of an access control list who is allowed +to query the server. Please configure your VyOS router in the allowed client +list. + +RADIUS source address +********************* + +Yet there is no way to configure the used RADIUS_ client source IP address on +the VyOS router, this is work in progres, see https://phabricator.vyos.net/T828. + +The IP address nearest to the radius server is currently used. If in doubt, +configure all IP addresses from the VyOS router in question. + Site-to-Site IPsec ------------------ @@ -816,6 +850,9 @@ SPOKE2 Example Configuration set protocols static route 192.168.1.0/24 next-hop 10.0.0.1 set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 +.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS +.. _FreeRADIUS: https://freeradius.org +.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server .. _RFC2332: https://tools.ietf.org/html/rfc2332 .. _RFC1702: https://tools.ietf.org/html/rfc1702 .. _RFC4301: https://tools.ietf.org/html/rfc4301 -- cgit v1.2.3