poptop_ads_howto_9.htm 3.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  2. "http://www.w3.org/TR/html4/loose.dtd">
  3. <html>
  4. <head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  6. <title>Poptop MSCHAP2 ADS Howto</title>
  7. </head>
  8. <body>
  9. <p><strong>14. Freeradius</strong></p>
  10. <p>Freeradius has a massive 57KB configuration file. Fortunately, we only have to change a few lines. </p>
  11. <hr>
  12. <a name="mschap2"></a><strong>14.1 Configure Freeradius for MSCHAPv2
  13. </strong>
  14. <p>Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.</p>
  15. <blockquote>
  16. <pre>modules {<br>
  17. ....[snip]....<br>
  18. mschap {
  19. authtype = MS-CHAP
  20. use_mppe = yes
  21. require_encryption = yes
  22. require_strong = yes
  23. ntlm_auth = &quot;/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}&quot;<br> }<br>
  24. ....[snip]....<br>
  25. }</pre>
  26. </blockquote>
  27. <p>The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. Save the file. </p>
  28. <p>The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf. </p>
  29. <blockquote>
  30. <pre>client 127.0.0.1 {<br> #<br> # The shared secret use to &quot;encrypt&quot; and &quot;sign&quot; packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the<br> # default, otherwise it's not a secret any more!<br> #<br> # The secret can be any string, up to 32 characters in length.<br> #<br> secret = testing123
  31. ....[snip]....
  32. </pre>
  33. </blockquote>
  34. <p><strong>Note</strong>: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other.
  35. </p>
  36. <hr>
  37. <p><strong><a name="access"></a>14.2 PPTP Access Control </strong></p>
  38. <p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter &quot;--require-membership-of=EXAMPLE+VPN_Allowed&quot;. </p>
  39. <p>In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file. </p>
  40. <blockquote>
  41. <pre>ntlm_auth = &quot;/usr/bin/ntlm_auth --request-nt-key
  42. --username=%{Stripped-User-Name:-%{User-Name:-None}}
  43. --challenge=%{mschap:Challenge:-00}
  44. --nt-response=%{mschap:NT-Response:-00}
  45. --require-membership-of=EXAMPLE+VPN_Allowed&quot;</pre>
  46. </blockquote><p></p>
  47. <hr>
  48. <a href="poptop_ads_howto_10.htm">Next</a> &nbsp;&nbsp;<a href="poptop_ads_howto_8.htm">Previous</a>&nbsp;&nbsp;<a href="poptop_ads_howto_1.htm#toc">Content</a><p>&nbsp; </p>
  49. </body>
  50. </html>