Admins eHow SysAdmin Tips & Tricks

August 14, 2009

How to Auth pptpd with radius on debian

Filed under: Debian,General — Tags: , , — admin @ 12:54 pm

install libradiusclient-ng2 :

apt-get install libradiusclient-ng2

rename the folder :

 mv /etc/radiusclient-ng/ /etc/radiusclient/

create dictionary.microsoft :

nano /etc/radiusclient/dictionary.microsoft

and copy and paste the following text into it :

#
#       Microsoft's VSA's, from RFC 2548
#
#       $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#

VENDOR          Microsoft       311     Microsoft

ATTRIBUTE       MS-CHAP-Response        1       string  Microsoft
ATTRIBUTE       MS-CHAP-Error           2       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-1           3       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-2           4       string  Microsoft
ATTRIBUTE       MS-CHAP-LM-Enc-PW       5       string  Microsoft
ATTRIBUTE       MS-CHAP-NT-Enc-PW       6       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Policy 7     string  Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE       MS-MPPE-Encryption-Type 8       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Types  8     string  Microsoft
ATTRIBUTE       MS-RAS-Vendor           9       integer Microsoft
ATTRIBUTE       MS-CHAP-Domain          10      string  Microsoft
ATTRIBUTE       MS-CHAP-Challenge       11      string  Microsoft
ATTRIBUTE       MS-CHAP-MPPE-Keys       12      string  Microsoft
ATTRIBUTE       MS-BAP-Usage            13      integer Microsoft
ATTRIBUTE       MS-Link-Utilization-Threshold 14 integer        Microsoft
ATTRIBUTE       MS-Link-Drop-Time-Limit 15      integer Microsoft
ATTRIBUTE       MS-MPPE-Send-Key        16      string  Microsoft
ATTRIBUTE       MS-MPPE-Recv-Key        17      string  Microsoft
ATTRIBUTE       MS-RAS-Version          18      string  Microsoft
ATTRIBUTE       MS-Old-ARAP-Password    19      string  Microsoft
ATTRIBUTE       MS-New-ARAP-Password    20      string  Microsoft
ATTRIBUTE       MS-ARAP-PW-Change-Reason 21     integer Microsoft

ATTRIBUTE       MS-Filter               22      string  Microsoft
ATTRIBUTE       MS-Acct-Auth-Type       23      integer Microsoft
ATTRIBUTE       MS-Acct-EAP-Type        24      integer Microsoft

ATTRIBUTE       MS-CHAP2-Response       25      string  Microsoft
ATTRIBUTE       MS-CHAP2-Success        26      string  Microsoft
ATTRIBUTE       MS-CHAP2-CPW            27      string  Microsoft

ATTRIBUTE       MS-Primary-DNS-Server   28      ipaddr  Microsoft
ATTRIBUTE       MS-Secondary-DNS-Server 29      ipaddr  Microsoft
ATTRIBUTE       MS-Primary-NBNS-Server  30      ipaddr  Microsoft
ATTRIBUTE       MS-Secondary-NBNS-Server 31     ipaddr  Microsoft

#ATTRIBUTE      MS-ARAP-Challenge       33      string  Microsoft

#
#       Integer Translations
#

#       MS-BAP-Usage Values

VALUE           MS-BAP-Usage            Not-Allowed     0
VALUE           MS-BAP-Usage            Allowed         1
VALUE           MS-BAP-Usage            Required        2

#       MS-ARAP-Password-Change-Reason Values

VALUE   MS-ARAP-PW-Change-Reason        Just-Change-Password            1
VALUE   MS-ARAP-PW-Change-Reason        Expired-Password                2
VALUE   MS-ARAP-PW-Change-Reason        Admin-Requires-Password-Change  3
VALUE   MS-ARAP-PW-Change-Reason        Password-Too-Short              4

#       MS-Acct-Auth-Type Values

VALUE           MS-Acct-Auth-Type       PAP             1
VALUE           MS-Acct-Auth-Type       CHAP            2
VALUE           MS-Acct-Auth-Type       MS-CHAP-1       3
VALUE           MS-Acct-Auth-Type       MS-CHAP-2       4
VALUE           MS-Acct-Auth-Type       EAP             5

#       MS-Acct-EAP-Type Values

VALUE           MS-Acct-EAP-Type        MD5             4
VALUE           MS-Acct-EAP-Type        OTP             5
VALUE           MS-Acct-EAP-Type        Generic-Token-Card      6
VALUE           MS-Acct-EAP-Type        TLS             13

create port-id-map in case it doesnt exists :

echo "" > /etc/radiusclient/port-id-map

edit /etc/radiusclient/dictionary :

nano /etc/radiusclient/dictionary

and add the following lines to the end of it :

INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft

edit /etc/radiusclient/radiusclient.conf :

nano /etc/radiusclient/radiusclient.conf

copy and paste the following text into it , dont forget to set your own authserver and acctserver:

auth_order      radius
login_tries     4
login_timeout   60
nologin         /etc/nologin
issue           /etc/radiusclient/issue
authserver      AUTH_Server_IP:PORT
acctserver      ACCT_Server_IP:PORT
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

edit /etc/radiusclient/servers :

nano /etc/radiusclient/servers

and add the following text into it , change Radius_Server_IP and SecretKey to your own settings :

Radius_Server_IP SecretKey

edit /etc/pptpd.conf :

nano /etc/pptpd.conf

and copy and paste the following text into it , change Server_IP , Remote_IP_From and Remote_IP_TO to your own settings :

option /etc/ppp/pptpd-options
logwtmp
localip Server_IP
remoteip Remote_IP_From-Remote_IP_TO
connections 200

edit /etc/ppp/pptpd-options :

nano /etc/ppp/pptpd-options

and copy and paste the following text into it :

name pptpd
require-pap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp
mtu 1200
mru 1200
plugin radius.so
plugin radattr.so
lcp-echo-failure 50
  • Leo

    Sorry,just want to say thank you.Thanks for sharing.

  • Franklin

    I followed the steps on Ubuntu 12.04 server and It went well, but I cant connect using a radius (working when I connect by a RouterOS).

    This is my log

    Feb 21 18:15:21 ip-10-0-0-135 pptpd[1691]: CTRL: Client xxx.xxx.xxx.xx control connection started
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: CTRL: Starting call (launching pppd, opening GRE)
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Plugin radius.so loaded.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: RADIUS plugin initialized.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Plugin radattr.so loaded.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: RADATTR plugin initialized.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: pppd 2.4.5 started by root, uid 0
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Using interface ppp0
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Connect: ppp0 /dev/pts/2
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: GRE: Bad checksum from pppd.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: rc_read_dictionary: couldn’t open dictionary dictionary.pppd: No such file or directory
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: PAP peer authentication failed for “user@mydomain.com.br”
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Connection terminated.
    Feb 21 18:15:22 ip-10-0-0-135 pppd[1692]: Exit.
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: GRE: read(fd=6,buffer=6075a0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: CTRL: Reaping child PPP[1692]
    Feb 21 18:15:22 ip-10-0-0-135 pptpd[1691]: CTRL: Client xxx.xxx.xxx.xx control connection finished

    Could you help?

  • A perfect tutorial. work like a charm. thanks for sharing.

    Keep the great work up.

    Regards:
    Imran

Powered by WordPress