poptop_ads_howto_8.htm 7.5 KB

  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  2. "http://www.w3.org/TR/html4/loose.dtd">
  3. <html>
  4. <head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  6. <title>Poptop MSCHAP2 ADS Howto</title>
  7. </head>
  8. <body>
  9. <p><strong>13. Software for R</strong><strong>adius Setup</strong></p>
  10. <p><em>freeradius</em> is not in the Fedora 8 DVD although it is in the F8 yum repository. Therefore, by default, it is not installed. Installing it through <em>yum</em> is recommended as it has quite a few dependences. <em>yum</em> will resolve all required dependences automagically. The version of <em>freeradius</em> in F8 is v1.1.7. </p>
  11. <blockquote>
  12. <pre>[root@pptp ~]# yum install freeradius </pre>
  13. </blockquote>
  14. <p>The second software you will need is <em>radiusclient-ng</em>. It is also available in the F8 yum repository. The version of the software is v0.5.6. </p>
  15. <blockquote>
  16. <pre>[root@pptp ~]# yum install radiusclient-ng </pre>
  17. </blockquote>
  18. <p><strong>Note:</strong> information for FC4 / 5 / 6 is in <a href="poptop_ads_howto_a4.htm">Appendix A4</a>.</p>
  19. <hr>
  20. <p><strong><a name="rclient"></a>14. radiusclient-ng</strong></p>
  21. <p>The pppd radius plugin relies on the radiusclient package. Fedora, however, provides radiusclient-ng. To make pppd work with radiusclient-ng, create a soft link with the following command.</p>
  22. <blockquote>
  23. <pre>[root@pptp ~]# cd /etc
  24. [root@pptp etc]# ln -s radiusclient-ng radiusclient</pre>
  25. </blockquote>
  26. <p>There are a few configuration files in /etc/radiusclient-ng to look at. The first one is /etc/radiusclient-ng/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:</p>
  27. <blockquote>
  28. <pre>#Server Name or Client/Server pair Key<br>#---------------- ---------------<br>localhost testing123 </pre>
  29. </blockquote>
  30. <p>The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. Older version of freeradius has the default key &quot;testing123&quot;. Of course, it is a bad idea to use the default.</p>
  31. <hr>
  32. <a name="rclientconf"></a><strong>14.1 radiusclient.conf</strong>
  33. <p>The main configuration file for radiusclient is /etc/radiusclient-ng/radiusclient.conf. Here is how it should be when all remarks are stripped off:</p>
  34. <blockquote>
  35. <pre>auth_order radius
  36. login_tries 4
  37. login_timeout 60
  38. nologin /etc/nologin
  39. issue /etc/radiusclient-ng/issue
  40. authserver localhost
  41. acctserver localhost
  42. servers /etc/radiusclient-ng/servers
  43. dictionary /usr/share/radiusclient-ng/dictionary
  44. login_radius /usr/sbin/login.radius
  45. seqfile /var/run/radius.seq
  46. mapfile /etc/radiusclient-ng/port-id-map
  47. default_realm
  48. radius_timeout 10
  49. radius_retries 3
  50. #bindaddr *
  51. login_local /bin/login</pre>
  52. </blockquote>
  53. <p>Basically, all of the lines are default. I have not changed anything.</p>
  54. <hr>
  55. <strong><a name="dict"></a>14.2 dictionary.microsoft</strong>
  56. <p>In /usr/share/radiusclient-ng directory, there is a file called dictionary. Add the following line to the end of the file.</p>
  57. <blockquote>
  58. <pre>INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft</pre>
  59. </blockquote>
  60. <p>The file, dictionary.microsoft, is not included in the radiusclient-ng package. We can modify the one from freeradius so that it can be used by pppd.</p>
  61. <p>First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /usr/share/radiusclient-ng. Then change the word &quot;octets&quot; to &quot;string&quot; in the file. Add the word Microsoft to all attributes. Here is my version: </p>
  62. <blockquote>
  63. <pre>#<br># Microsoft's VSA's, from RFC 2548<br>#<br># $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $<br>#
  64. VENDOR Microsoft 311 Microsoft
  65. BEGIN VENDOR Microsoft
  66. ATTRIBUTE MS-CHAP-Response 1 string Microsoft<br>ATTRIBUTE MS-CHAP-Error 2 string Microsoft<br>ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft<br>ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft<br>ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft<br>ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft<br>ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft<br># This is referred to as both singular and plural in the RFC.<br># Plural seems to make more sense.<br>ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft<br>ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft<br>ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft<br>ATTRIBUTE MS-CHAP-Domain 10 string Microsoft<br>ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft<br>ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1<br>ATTRIBUTE MS-BAP-Usage 13 integer Microsoft<br>ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft<br>ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft<br>ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft<br>ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft<br>ATTRIBUTE MS-RAS-Version 18 string Microsoft<br>ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft<br>ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft<br>ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
  67. ATTRIBUTE MS-Filter 22 string Microsoft<br>ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft<br>ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft<br>
  68. ATTRIBUTE MS-CHAP2-Response 25 string Microsoft<br>ATTRIBUTE MS-CHAP2-Success 26 string Microsoft<br>ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
  69. ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr<br>ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr<br>ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr<br>ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr
  70. #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
  71. #<br># Integer Translations<br>#
  72. # MS-BAP-Usage Values
  73. VALUE MS-BAP-Usage Not-Allowed 0<br>VALUE MS-BAP-Usage Allowed 1<br>VALUE MS-BAP-Usage Required 2
  74. # MS-ARAP-Password-Change-Reason Values
  75. VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1<br>VALUE MS-ARAP-PW-Change-Reason Expired-Password 2<br>VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3<br>VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
  76. # MS-Acct-Auth-Type Values
  77. VALUE MS-Acct-Auth-Type PAP 1<br>VALUE MS-Acct-Auth-Type CHAP 2<br>VALUE MS-Acct-Auth-Type MS-CHAP-1 3<br>VALUE MS-Acct-Auth-Type MS-CHAP-2 4<br>VALUE MS-Acct-Auth-Type EAP 5
  78. # MS-Acct-EAP-Type Values
  79. VALUE MS-Acct-EAP-Type MD5 4<br>VALUE MS-Acct-EAP-Type OTP 5<br>VALUE MS-Acct-EAP-Type Generic-Token-Card 6<br>VALUE MS-Acct-EAP-Type TLS 13
  80. END-VENDOR Microsoft
  81. </pre>
  82. </blockquote><p></p>
  83. <hr>
  84. <a href="poptop_ads_howto_9.htm">Next</a> &nbsp;&nbsp;<a href="poptop_ads_howto_7.htm">Previous</a>&nbsp;&nbsp;<a href="poptop_ads_howto_1.htm#toc">Content</a>
  85. <p></p>
  86. </body>
  87. </html>