Using the Radius server in Mac OS X Server 10.6 for Cisco IOS WebVPN user and group authentication

One of my customers was looking for a simple WebVPN Cisco solution to replace his older EasyVPN. Goals were to increase security (by defining user groups and IP access lists) and ease deployment for external parties that needed to log onto the VPN. This posed the following problems:

– The Cisco router that was used (a 1921) only supports local users, in order to apply different group policies there had to be group authentication as well.
– Mac OS X 10.6 uses a Radius server only to authenticate users on Airport basestations. Authorization for other devices is not enabled by default and groups are not pushed to other devices.

So… let’s get started! For this to work you’ll need to have your Cisco router connected to your Mac OS X server in some way. I won’t go into the basics of setting up your router, your WebVPN or your Mac OS X server here, there are plenty of tutorials on that on the web already.

First of all we’ll have have to alter the configuration of the excellent FreeRADIUS server that Apple ships with Mac OS X Server 10.6. This is easier than it seems. Stop the RADIUS server in the Server Admin utility and browse to the /etc/raddb/ directory. We’ll make changes to 2 files here.

In users.conf we’ll have to instruct the RADIUS server to accept incoming connections form the Cisco router. This is done by adding the following lines just above the “client localhost {” part:

client 192.168.9.1/32 {
secret = somesecretyoucameupwith
shortname = vpn
nastype = cisco
}

The shortname is the hostname of the router, the IP address is the IP address of the router. Save the file (you’ll need administrator access to do this) but don’t start the RADIUS server just yet. We have to edit the users file (in the same directory) as well in order to push group information to the router.

In the users file you can specify the return values that should be pushed back to the router upon a successfull authentication. I looked into the possibility to make the RADIUS server push the default user group to the router but deemed that it was far too difficult to make it work. Instead I opted to make separate entries for all my users and specify their policy group explicitly. At the bottom of the users file you can add entries like this:

user1          Cleartext-Password := “password”
Service-Type = NAS-Prompt-User,
cisco-avpair = “webvpn:user-vpn-group=management”

When user1 tries to login to the WebVPN the RADIUS server will (upon a successfull authentication) push the webvpn:user-vpn-group attribute to the router. This attribute (in this case the group name management) will select the correct policy for the user. Now the RADIUS part is done, start the RADIUS server and see if it runs. If it doesn’t start you probably made a typo somewhere, see below on how to debug it.

Now it’s time to implement RADIUS authentication in the router. First we’ll add the radius server to the config:

radius-server host 192.168.9.12 auth-port 1812 acct-port 1813 key 7 <somesecretyoucameupwith>

The secret needs to be the same as the secret you entered in the clients file.

These are the AAA settings that I used, I first want the router to check for a local account so I can always access it in case the RADIUS server stops working. After that the router will query the RADIUS server to look for valid accounts.

aaa authentication login default local group radius
aaa authorization exec default local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius cache radius local
aaa accounting auth-proxy default start-stop group radius

From here it’s easy, you can create different policy groups in your webvpn context. In this case I would create a policy group called management for user1 that will allow him to reach certain hosts and see a specific URL list.

policy group management
url-list “URLs”
functions svc-enabled
svc address-pool “sslvpn-pool”
svc keep-client-installed
svc split include 192.168.43.0 255.255.255.0
svc split include 192.168.9.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 8.8.4.4

Also add the following line to your webvpn context to make sure the RADIUS server is queried for valid accounts:

aaa authentication auto

Now your Cisco will pass on logins to the RADIUS server and receive the correct attribute to select the right group policy for the WebVPN. Nice!

Notes:

– In order for this to work the users specified have to both exist in the OpenDirectory and the users file.
– I have used port 1812 and 1813. In older RADIUS implementations port in the 1600 range were used. The Cisco configuration professional still suggests these ports but they don’t work with FreeRADIUS.
– I included the DNS servers as there is a bug with the current version of the AnyConnect client where DNS requests are not correctly forwarded in case of a split tunnel (CSCtf20226).
– If this doesn’t work first launch the RADIUS server in debug mode on Mac OS X server to see if the authentication runs well. This can be done by starting a terminal session and launching radiusd -X as root.
– Secondly use the radius debug feature of the Cisco router to see if the authentication packets that are returned contain the avpair attribute. If the attribute is not included the router will assign the default policy. In my case I removed the default policy as it poses a security risk.

A big thanks for the folks on the FreeRADIUS mailinglist for their assistance!

Advertisements

Comments are closed.

%d bloggers like this: