12. Software for Radius Setup
FC5 and FC6 have freeradius bundled. FC5 has freeradius-1.0.5-1.2 and FC6 has freeradius-1.1.3-1.1. Get it from yum if it is not installed. It has quite a few dependences and yum will resolve all required dependences automagically.
[root@pptp ~]# yum install freeradius
The second software you will need is radiusclient. Get the rpm, radiusclient-0.3.2-0.2.fc5.rf.i386.rpm or radiusclient-0.3.2-0.2.fc6.rf.i386.rpm, from here. Install it with "rpm -ivh".
Note: information for FC4 is in Appendix A4.
Radiusclient is required because the pppd radius plugin relies on it. There are a few configuration files in /etc/radiusclient to look at. The first one is /etc/radiusclient/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:
#Server Name or Client/Server pair Key
#---------------- ---------------
localhost testing123
The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. Older version of freeradius has the default key "testing123". Of course, it is a bad idea to use the default.
The main configuration file for radiusclient is /etc/radiusclient/radiusclient.conf. Here is how it should be when all remarks are stripped off:
auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost acctserver localhost servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3
Basically, all of the lines are default. I have not changed anything.
In /etc/radiusclient, there is a file called dictionary. Add the following line to the end of the file.
INCLUDE /etc/radiusclient/dictionary.microsoft
The file, dictionary.microsoft, is not included in the radiusclient. We can modify the one from freeradius so that it can be used by pppd.
First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version:
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: poptop_ads_howto_8.htm,v 1.6 2007/02/23 00:25:12 wskwok Exp $
# VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft #
# Integer Translations
# # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13 END-VENDOR Microsoft