12. Software for Radius Setup

FC5 and FC6 have freeradius bundled. FC5 has freeradius-1.0.5-1.2 and FC6 has freeradius-1.1.3-1.1. Get it from yum if it is not installed. It has quite a few dependences and yum will resolve all required dependences automagically.

[root@pptp ~]# yum install freeradius 

The second software you will need is radiusclient. Get the rpm, radiusclient-0.3.2-0.2.fc5.rf.i386.rpm or radiusclient-0.3.2-0.2.fc6.rf.i386.rpm, from here. Install it with "rpm -ivh".

Note: information for FC4 is in Appendix A4.


13. Radiusclient

Radiusclient is required because the pppd radius plugin relies on it. There are a few configuration files in /etc/radiusclient to look at. The first one is /etc/radiusclient/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:

#Server Name or Client/Server pair              Key
#---------------- ---------------
localhost testing123

The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. Older version of freeradius has the default key "testing123". Of course, it is a bad idea to use the default.


13.1 radiusclient.conf

The main configuration file for radiusclient is /etc/radiusclient/radiusclient.conf. Here is how it should be when all remarks are stripped off:

auth_order radius
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver localhost
acctserver localhost
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3

Basically, all of the lines are default. I have not changed anything.


13.2 dictionary.microsoft

In /etc/radiusclient, there is a file called dictionary. Add the following line to the end of the file.

INCLUDE /etc/radiusclient/dictionary.microsoft

The file, dictionary.microsoft, is not included in the radiusclient. We can modify the one from freeradius so that it can be used by pppd.

First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version:

#
# Microsoft's VSA's, from RFC 2548
#
# $Id: poptop_ads_howto_8.htm,v 1.6 2007/02/23 00:25:12 wskwok Exp $
# VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft #
# Integer Translations
# # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13 END-VENDOR Microsoft


Next   Previous  Content