OpenVPN + Radius + LDAP
Friday, April 27th, 2007Finally, after messed up by many projects in few recent weeks, I’m back 
In this post, I want to fulfill my promise to give the information about how to setup OpenVPN auth towards Radius server. The setting is required both in the server and client side. I assume that you already have a working radius server, so you don’t need to confuse with the radius server configuration.
In my case, I already have a radius server with LDAP server as the user database directory. All radius server and LDAP server configuration are excluded from this post.
In the server side:
Add these configuration to server.conf:
#to enable external authentication module, I am using radius module here
plugin /usr/local/lib/openvpn-auth-pam.so radius# I don’t want to use cert at all
client-cert-not-required# to enable identification
username-as-common-name
After configure your openvpn, you need to configure PAM module for radius. I am using FreeBSD, you need to make sure there is a radius modul inside /etc/pam.d directory or create the new one.
I put the following lines into /etc/pam.d/radius
#> more /etc/pam.d/radius
#
# PAM configuration for the “radius” service
#
account required pam_radius.so
account required pam_radius.so auth required pam_radius.so no_warn try_first_pass
Then you need to configure the radius parameter inside /etc/radius.conf
> more /etc/radius.conf
acct your-server-name your-secret
auth your-server-name your-secret
In the client side:
Add this configuration to the client configuration:
auth-user-pass
In the client, it is optional to put cert and key, but it is MANDATORY to put CA file. CA file is required to authenticate the server to make sure that you connect to the right server.
That’s all. Happy trying
-rendo-
