PopTop
From FreeRADIUS Wiki
Contents |
[edit]
Introduction
Poptop (http://www.poptop.org/) is the PPTP server solution for Linux and is used for establishing VPN (Virtual Private Network) tunnels across the Internet.
It uses pppd to establish the network link and thus can benefit the radius pppd-radius plugin to work with FreeRADIUS:
- authorization of the access can be done on several parameters (username, user group, VPN server IP address or name, VPN client IP address, connection time...)
- authentication of the user can be delegated to the radius server (which can use several backends to store user profiles)
- IP pool management for the VPN client can be delegated to the FreeRADIUS server
- if MPPE encryption is required, MPPE keys can be generated by the FreeRADIUS server
- Accounting data can be sent to FreeRADIUS
In order to use MPPE, authentication must be setup to use MS-CHAP or MS-CHAPv2 which requires the user password to be stored in NTLM hashed format or in cleartext format in the FreeRADIUS backend.
[edit]
Setting up the Poptop server
- Install Poptop, pppd, pppd-radius, libradiusclient on your system.
- Check that your kernel has built-in support for MPPE encryption:
- ### If it is not available
- # modprobe ppp-compress-18 && echo MPPE Module is ok
- FATAL: Module ppp_mppe not found.
- ### If it is available
- # modprobe ppp-compress-18 && echo MPPE Module is ok
- MPPE Module is ok
[edit]
Poptop setup files
Follow Poptop documentation to setup the pptpd daemon.
A sample /etc/pptpd.conf is given below:
ppp /usr/sbin/pppd option /etc/ppp/options.pptpd noipparam delegate connections 150 localip 10.1.1.1
Note:
- The 10.1.1.1 is the IP Address of the Poptop VPN server.
- The "noipparam" is used here because in 'this' (my) particular setup, FreeRADIUS handles IP pool management
Then modify the /etc/ppp/options.pptpd file, for instance:
- name pptpd
- refuse-pap
- refuse-chap
- refuse-mschap
- require-mschap-v2
- require-mppe-128
- [...]
- plugin radius.so
- plugin radattr.so
Note:
- the above setup only accepts MS-CHAPv2 authentication and requires MPPE encryption
- Take especially attention to the fact that both radius.so AND radattr.so plugin NEED to be defined in this file
[edit]
Radius settings
[edit]
The FreeRADIUS setup part
- Define the IP Address and secret in the FreeRADIUS /etc/raddb/clients.conf file
- make sure the mschap module is setup to accept mppe encryption. Go to the /etc/raddb/radiusd.conf file and check the mschap {} subsection in the modules {} section:
- # if use_mppe is not set to no mschap will
- # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
- # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
- #
- #use_mppe = no
- # if mppe is enabled require_encryption makes
- # encryption moderate
- #
- #require_encryption = yes
- # require_strong always requires 128 bit key
- # encryption
- #
- #require_strong = yes
- use_mppe must not be set to no. Default params work well, but you can tune require_encryption and require_strong to better customize the setup
- Double check that the mschap module is not commented out in the authorize nor in the authenticate section
- Optionnaly define the IP pools in your FreeRADIUS /etc/raddb/radiusd.conf
[edit]
The radiusclient setup part (on the Poptop server)
- setup your /etc/radiusclient/radiusclient.conf file for instance with
auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver myradius.mydomain.com:1812 acctserver myradius.mydomain.com:1813 servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login
Where myradius.mydomain.com is the DNS name of your FreeRADIUS server.
- setup your /etc/radiusclient/servers file
#Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone myradius.mydomain.com same-secret-in-freeradius-client.conf
- Check that you've got the required radiusclient dictionaries (dictionary.merit and dictionary.microsoft). If you don't have them in /etc/radiusclient or in the /usr/share/radiusclient-ng (for radiusclient-ng), then copy them from the dictionary text below
# # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage 13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success 26 string Microsoft ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0 VALUE MS-BAP-Usage Allowed 1 VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP 2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4 VALUE MS-Acct-EAP-Type OTP 5 VALUE MS-Acct-EAP-Type Generic-Token-Card 6 VALUE MS-Acct-EAP-Type TLS 13
And :
# # Experimental extensions, configuration only (for check-items) # Names/numbers as per the MERIT extensions (if possible). # ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 string ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 string ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network 38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer # 8 is a MERIT extension. VALUE Service-Type Authenticate-Only 8
- Then include these files in your main radiuclient dictionary by using "INCLUDE" keywords at the end of the /etc/radiusclient/dictionary file:
- INCLUDE /etc/radiusclient/dictionary.merit
- INCLUDE /etc/radiusclient/dictionary.microsoft
Note: A common issue is to use the "$INCLUDE" keyword instead of "INCLUDE". Though a quick look at the source code of radiusclient made me doubt about this, I can report that only the INCLUDE keyword work for me (and others).
[edit]
That's not working
Ok, so you've followed the above steps and it's still not working. So lets double check things before you post to FreeRADIUS mailing lists:
- First, check that you have NOT modified any dictionary on the FreeRADIUS server. A common mistake is to use the above dictionary (formatted for radiusclient) on FreeRADIUS. If you have done this, restore the dictionary files from FreeRADIUS package
- Check that you are using the INLCUDE keyword in /etc/radiuclient/dictionary file and not "$INCLUDE"
Then let's have a look at your /var/log/messages file on your Poptop VPN server. If you get messages like the one above, then the problem is due to bad radiusclient dictionaries definition:
May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 11 May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 25
In this case: check again that you get the latest Microsoft dictionary for radiusclient and that you've correctly included it in the radiusclient configuration.
If it's still not working, check the FreeRADIUS debug logs by running it with the "-X" flag.
- Check that in the packets you see the following attributes exchanged:
- User-Name
- MS-CHAP-Challenge
- MS-CHAP2-Response
- If an access Accept is sent by FreeRADIUS, check that the following attributes are part of the response:
- MS-MPPE-Recv-Key = 0x....
- MS-MPPE-Send-Key = 0x...
- MS-MPPE-Encryption-Policy = 0x...
- MS-MPPE-Encryption-Types = 0x...
==> If not, then have a look to your radiusd.conf setup: especially the "use_mppe" parameter