This tutorial covers how to make pptp authenticate to RADIUS using freeradius and use the files module where /etc/freeradius/users will be used to authenticate connections.
On Debian, the libradiusclient-ng2 and the freeradius client must be installed with:
aptitude install freeradius libradiusclient-ng2
Not many changes are required to FreeRADIUS because it does have MS-CHAP enabled by default - which is the authentication protocol used for Microsoft products and then one we will be using.
In the /etc/freeradius/modules/mschap file, enable the following options:
use_mppe = yes require_encryption = yes require_strong = yes
in order to:
MPPE,
Make a symbolic link between /etc/radiusclient-ng/ and /etc/radiusclient - this is due to the radius.so and radattr.so pppd plugins that look for the configuration in the /etc/radiusclient directory.
Next, create the Microsoft dictionary at /etc/radiusclient/dictionary.microsoft with the following contents:
# # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage 13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success 26 string Microsoft ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0 VALUE MS-BAP-Usage Allowed 1 VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP 2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4 VALUE MS-Acct-EAP-Type OTP 5 VALUE MS-Acct-EAP-Type Generic-Token-Card 6 VALUE MS-Acct-EAP-Type TLS 13
Also create a port-id-map:
echo "" >/etc/radiusclient/port-id-map
In order to take the Microsoft dictionary into account, edit the /etc/radiusclient/dictionary file and append the following lines at the end:
INCLUDE /etc/radiusclient/dictionary.merit INCLUDE /etc/radiusclient/dictionary.microsoft
Now, depending on where the RADIUS server can be find, you need to edit /etc/radiusclient/radiusclient.conf and configure the parameters. Pay particular attention to authserver and acctserver that should point to the IP or hostname and port pair of the RADIUS server.
In order to make the client aware of the RADIUS servers, edit /etc/radiusclient/servers and add the IP and the secret from /etc/freeradius/client.conf on a single line. For instance, given a server at 127.0.0.1 and a secret testing123, you would edit the file /etc/radiusclient/servers and add:
127.0.0.1 testing123
Edit /etc/pptpd.conf and add the lines:
option /etc/ppp/pptpd-options logwtmp localip 192.168.1.1 remoteip 192.168.1.10-20
where 192.168.1.1 will be the IP of the PPTPd server and 192.168.1.10 through 192.168.1.20 will be the IP addresses that will be dished out to clients.
Now edit /etc/ppp/pptpd-options and add the lines:
name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 mppe-stateful proxyarp nodefaultroute lock nobsdcomp nopcomp debug lcp-echo-failure 10 lcp-echo-interval 60 plugin radius.so plugin radattr.so
In order to add users, edit /etc/freeradius/users and create users. For instance, the following configuration adds a user called joe with the password superduper:
joe Cleartext-Password := "superduper"
Service-Type = Framed-User
pptpd and pppd will log to the daemon facility, usually to be found at /var/log/daemon.log. In case you get authentication failures, then you could run freeradius on the command line with debugging turned on:
freeradius -X