not logged in | [Login]

Quick Links

Always use radiusd -X when debugging!

Poptop (http://www.poptop.org/) is the PPTP server solution for Linux and is used for establishing VPN (Virtual Private Network) tunnels across the Internet.

It uses pppd to establish the network link and thus can benefit the radius pppd-radius plugin to work with FreeRADIUS:

  • authorization of the access can be done on several parameters (username, user group, VPN server IP address or name, VPN client IP address, connection time...)
  • authentication of the user can be delegated to the radius server (which can use several backends to store user profiles)
  • IP pool management for the VPN client can be delegated to the FreeRADIUS server
  • if MPPE encryption is required, MPPE keys can be generated by the FreeRADIUS server
  • Accounting data can be sent to FreeRADIUS

In order to use MPPE, authentication must be setup to use MS-CHAP or MS-CHAPv2 which requires the user password to be stored in NTLM hashed format or in cleartext format in the FreeRADIUS backend.

Setting up the Poptop server

  • Install Poptop, pppd, pppd-radius, libradiusclient on your system.
  • Check that your kernel has built-in support for MPPE encryption
### If it is not available
# modprobe ppp-compress-18 && echo MPPE Module is ok
FATAL: Module ppp_mppe not found.

### If it is available
# modprobe ppp-compress-18 && echo MPPE Module is ok
MPPE Module is ok

Poptop setup files

Follow Poptop documentation to setup the pptpd daemon.

A sample /etc/pptpd.conf is given below

ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
noipparam
delegate
connections 150
localip 10.1.1.1

Note: "noipparam" is used here because in 'this' (my) particular setup, FreeRADIUS handles IP pool management.

Next modify the /etc/ppp/options.pptpd file

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

[...]

plugin radius.so
plugin radattr.so

Note: the above setup only accepts MS-CHAPv2 authentication and requires MPPE encryption

Note: Pay special attention to the fact that '''both radius.so AND radattr.so''' plugin NEED to be defined in this file

Radius settings

The FreeRADIUS setup part

  • Define the IP Address and secret in the FreeRADIUS /etc/raddb/clients.conf file

  • make sure the mschap module is setup to accept mppe encryption.
    • in FR1: Go to the /etc/raddb/radiusd.conf file and check the mschap {} subsection in the modules {} section:
    • in FR2: Go to the /etc/raddb/modules/mschap file and check the module setup
mschap {
    use_mppe = yes
    require_encryption = yes
    require_strong = yes
}

Note: use_mppe must not be set to no. Default params work well, but you can tune require_encryption and require_strong to better customize the setup.

  • Double check that the mschap module is not commented out in the authorize nor in the authenticate section.
  • Optionally define the IP pools in your FreeRADIUS /etc/raddb/radiusd.conf (in FR1) or /etc/raddb/modules/ippool (in FR2).

The radiusclient setup part (on the Poptop server)

  • setup your /etc/radiusclient/radiusclient.conf file for instance with:
auth_order      radius
login_tries     4
login_timeout   60
nologin         /etc/nologin
issue           /etc/radiusclient/issue
authserver      myradius.mydomain.com:1812
acctserver      myradius.mydomain.com:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

Where myradius.mydomain.com is the DNS name of your FreeRADIUS server.

  • setup your /etc/radiusclient/servers file:
#Server Name or Client/Server pair              Key
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
myradius.mydomain.com                           same-secret-in-freeradius-client.conf
  • Check that you've got the required radiusclient dictionaries (dictionary.merit and dictionary.microsoft). If you don't have them in /etc/radiusclient or in the /usr/share/radiusclient-ng (for radiusclient-ng), then copy them from the dictionary text below:
#
#       Microsoft's VSA's, from RFC 2548
#
#       $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $
#
VENDOR          Microsoft       311     Microsoft
BEGIN VENDOR    Microsoft
ATTRIBUTE       MS-CHAP-Response        1       string  Microsoft
ATTRIBUTE       MS-CHAP-Error           2       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-1           3       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-2           4       string  Microsoft
ATTRIBUTE       MS-CHAP-LM-Enc-PW       5       string  Microsoft
ATTRIBUTE       MS-CHAP-NT-Enc-PW       6       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Policy 7     string  Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE       MS-MPPE-Encryption-Type 8       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Types  8     string  Microsoft
ATTRIBUTE       MS-RAS-Vendor           9       integer Microsoft
ATTRIBUTE       MS-CHAP-Domain          10      string  Microsoft
ATTRIBUTE       MS-CHAP-Challenge       11      string  Microsoft
ATTRIBUTE       MS-CHAP-MPPE-Keys       12      string  Microsoft encrypt=1
ATTRIBUTE       MS-BAP-Usage            13      integer Microsoft
ATTRIBUTE       MS-Link-Utilization-Threshold 14 integer        Microsoft
ATTRIBUTE       MS-Link-Drop-Time-Limit 15      integer Microsoft
ATTRIBUTE       MS-MPPE-Send-Key        16      string  Microsoft
ATTRIBUTE       MS-MPPE-Recv-Key        17      string  Microsoft
ATTRIBUTE       MS-RAS-Version          18      string  Microsoft
ATTRIBUTE       MS-Old-ARAP-Password    19      string  Microsoft
ATTRIBUTE       MS-New-ARAP-Password    20      string  Microsoft
ATTRIBUTE       MS-ARAP-PW-Change-Reason 21     integer Microsoft
ATTRIBUTE       MS-Filter               22      string  Microsoft
ATTRIBUTE       MS-Acct-Auth-Type       23      integer Microsoft
ATTRIBUTE       MS-Acct-EAP-Type        24      integer Microsoft
ATTRIBUTE       MS-CHAP2-Response       25      string  Microsoft
ATTRIBUTE       MS-CHAP2-Success        26      string  Microsoft
ATTRIBUTE       MS-CHAP2-CPW            27      string  Microsoft
ATTRIBUTE       MS-Primary-DNS-Server   28      ipaddr  Microsoft
ATTRIBUTE       MS-Secondary-DNS-Server 29      ipaddr  Microsoft
ATTRIBUTE       MS-Primary-NBNS-Server  30      ipaddr Microsoft
ATTRIBUTE       MS-Secondary-NBNS-Server 31     ipaddr Microsoft
#ATTRIBUTE      MS-ARAP-Challenge       33      string  Microsoft
#
#       Integer Translations
#
#       MS-BAP-Usage Values
VALUE           MS-BAP-Usage            Not-Allowed     0
VALUE           MS-BAP-Usage            Allowed         1
VALUE           MS-BAP-Usage            Required        2
#       MS-ARAP-Password-Change-Reason Values
VALUE   MS-ARAP-PW-Change-Reason        Just-Change-Password            1
VALUE   MS-ARAP-PW-Change-Reason        Expired-Password                2
VALUE   MS-ARAP-PW-Change-Reason        Admin-Requires-Password-Change  3
VALUE   MS-ARAP-PW-Change-Reason        Password-Too-Short              4
#       MS-Acct-Auth-Type Values
VALUE           MS-Acct-Auth-Type       PAP             1
VALUE           MS-Acct-Auth-Type       CHAP            2
VALUE           MS-Acct-Auth-Type       MS-CHAP-1       3
VALUE           MS-Acct-Auth-Type       MS-CHAP-2       4
VALUE           MS-Acct-Auth-Type       EAP             5
#       MS-Acct-EAP-Type Values
VALUE           MS-Acct-EAP-Type        MD5             4
VALUE           MS-Acct-EAP-Type        OTP             5
VALUE           MS-Acct-EAP-Type        Generic-Token-Card      6
VALUE           MS-Acct-EAP-Type        TLS             13
END-VENDOR Microsoft

'''And :'''

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8
  • Note that there are many radiusclient copies of dictionary.microsoft floating around that are incorrect for attributes 28 and 29, the word Microsoft is missing, if you configure a DEFAULT section in freeradius to issue DNS servers to your clients instead of using ms-dns in options.pppd file, the pppd radius plugin will not know what to do unless you make the addition of the term Microsoft for those attributes.
  • Then include these files in your main radiuclient dictionary by using '''"INCLUDE" keywords''' '''at the end of the /etc/radiusclient/dictionary''' file:
  • INCLUDE /etc/radiusclient/dictionary.merit
  • INCLUDE /etc/radiusclient/dictionary.microsoft

Note: A common issue is to use the "$INCLUDE" keyword instead of "INCLUDE". Though a quick look at the source code of radiusclient made me doubt about this, I can report that only the INCLUDE keyword work for me (and others).

That's not working

Ok, so you've followed the above steps and it's still not working. So lets double check things before you post to FreeRADIUS mailing lists:

  • First, check that you have NOT modified any dictionary on the FreeRADIUS server. A common mistake is to use the above dictionary (formatted for radiusclient) on FreeRADIUS. If you have done this, restore the dictionary files from FreeRADIUS package
  • Check that you are using the INLCUDE keyword in /etc/radiuclient/dictionary file and not "$INCLUDE"

Then let's have a look at your /var/log/messages file on your Poptop VPN server. If you get messages like the one above, then the problem is due to bad radiusclient dictionaries definition

May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 11
May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 25

In this case: check again that you get the latest Microsoft dictionary for radiusclient and that you've correctly included it in the radiusclient configuration.

If it's still not working, check the FreeRADIUS debug logs by running it with the "-X" flag.

  • Check that in the packets you see the following attributes exchanged:
    • User-Name
    • MS-CHAP-Challenge
    • MS-CHAP2-Response
  • If an access Accept is sent by FreeRADIUS, check that the following attributes are part of the response:
    • MS-MPPE-Recv-Key = 0x....
    • MS-MPPE-Send-Key = 0x...
    • MS-MPPE-Encryption-Policy = 0x...
    • MS-MPPE-Encryption-Types = 0x...

  • If not, then have a look to your radiusd.conf setup: especially the "use_mppe" parameter