PopTop

From FreeRADIUS Wiki

Introduction

Poptop (http://www.poptop.org/) is the PPTP server solution for Linux and is used for establishing VPN (Virtual Private Network) tunnels across the Internet.

It uses pppd to establish the network link and thus can benefit the radius pppd-radius plugin to work with FreeRADIUS:

authorization of the access can be done on several parameters (username, user group, VPN server IP address or name, VPN client IP address, connection time...)
authentication of the user can be delegated to the radius server (which can use several backends to store user profiles)
IP pool management for the VPN client can be delegated to the FreeRADIUS server
if MPPE encryption is required, MPPE keys can be generated by the FreeRADIUS server
Accounting data can be sent to FreeRADIUS

In order to use MPPE, authentication must be setup to use MS-CHAP or MS-CHAPv2 which requires the user password to be stored in NTLM hashed format or in cleartext format in the FreeRADIUS backend.

Setting up the Poptop server

Install Poptop, pppd, pppd-radius, libradiusclient on your system.

Check that your kernel has built-in support for MPPE encryption:
### If it is not available
# modprobe ppp-compress-18 && echo MPPE Module is ok
FATAL: Module ppp_mppe not found.
### If it is available
# modprobe ppp-compress-18 && echo MPPE Module is ok
MPPE Module is ok

Poptop setup files

Follow Poptop documentation to setup the pptpd daemon.

A sample /etc/pptpd.conf is given below:

ppp /usr/sbin/pppd option /etc/ppp/options.pptpd noipparam delegate connections 150 localip 10.1.1.1

Note:

The 10.1.1.1 is the IP Address of the Poptop VPN server.
The "noipparam" is used here because in 'this' (my) particular setup, FreeRADIUS handles IP pool management

Then modify the /etc/ppp/options.pptpd file, for instance:

name pptpd

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

[...]

plugin radius.so

plugin radattr.so

Note:

the above setup only accepts MS-CHAPv2 authentication and requires MPPE encryption
Take especially attention to the fact that both radius.so AND radattr.so plugin NEED to be defined in this file

Radius settings

The FreeRADIUS setup part

Define the IP Address and secret in the FreeRADIUS /etc/raddb/clients.conf file
make sure the mschap module is setup to accept mppe encryption. Go to the /etc/raddb/radiusd.conf file and check the mschap {} subsection in the modules {} section:
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes
- use_mppe must not be set to no. Default params work well, but you can tune require_encryption and require_strong to better customize the setup
Double check that the mschap module is not commented out in the authorize nor in the authenticate section
Optionnaly define the IP pools in your FreeRADIUS /etc/raddb/radiusd.conf

The radiusclient setup part (on the Poptop server)

setup your /etc/radiusclient/radiusclient.conf file for instance with

auth_order      radius login_tries     4 login_timeout   60 nologin         /etc/nologin issue           /etc/radiusclient/issue authserver      myradius.mydomain.com:1812 acctserver      myradius.mydomain.com:1813 servers         /etc/radiusclient/servers dictionary      /etc/radiusclient/dictionary login_radius    /usr/sbin/login.radius seqfile         /var/run/radius.seq mapfile         /etc/radiusclient/port-id-map default_realm radius_timeout  10 radius_retries  3 login_local     /bin/login

Where myradius.mydomain.com is the DNS name of your FreeRADIUS server.

setup your /etc/radiusclient/servers file

#Server Name or Client/Server pair              Key #----------------                               --------------- #portmaster.elemental.net                       hardlyasecret #portmaster2.elemental.net                      donttellanyone myradius.mydomain.com                           same-secret-in-freeradius-client.conf

Check that you've got the required radiusclient dictionaries (dictionary.merit and dictionary.microsoft). If you don't have them in /etc/radiusclient or in the /usr/share/radiusclient-ng (for radiusclient-ng), then copy them from the dictionary text below

# #       Microsoft's VSA's, from RFC 2548 # #       $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $ #  VENDOR          Microsoft       311     Microsoft  ATTRIBUTE       MS-CHAP-Response        1       string  Microsoft ATTRIBUTE       MS-CHAP-Error           2       string  Microsoft ATTRIBUTE       MS-CHAP-CPW-1           3       string  Microsoft ATTRIBUTE       MS-CHAP-CPW-2           4       string  Microsoft ATTRIBUTE       MS-CHAP-LM-Enc-PW       5       string  Microsoft ATTRIBUTE       MS-CHAP-NT-Enc-PW       6       string  Microsoft ATTRIBUTE       MS-MPPE-Encryption-Policy 7     string  Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE       MS-MPPE-Encryption-Type 8       string  Microsoft ATTRIBUTE       MS-MPPE-Encryption-Types  8     string  Microsoft ATTRIBUTE       MS-RAS-Vendor           9       integer Microsoft ATTRIBUTE       MS-CHAP-Domain          10      string  Microsoft ATTRIBUTE       MS-CHAP-Challenge       11      string  Microsoft ATTRIBUTE       MS-CHAP-MPPE-Keys       12      string  Microsoft ATTRIBUTE       MS-BAP-Usage            13      integer Microsoft ATTRIBUTE       MS-Link-Utilization-Threshold 14 integer        Microsoft ATTRIBUTE       MS-Link-Drop-Time-Limit 15      integer Microsoft ATTRIBUTE       MS-MPPE-Send-Key        16      string  Microsoft ATTRIBUTE       MS-MPPE-Recv-Key        17      string  Microsoft ATTRIBUTE       MS-RAS-Version          18      string  Microsoft ATTRIBUTE       MS-Old-ARAP-Password    19      string  Microsoft ATTRIBUTE       MS-New-ARAP-Password    20      string  Microsoft ATTRIBUTE       MS-ARAP-PW-Change-Reason 21     integer Microsoft  ATTRIBUTE       MS-Filter               22      string  Microsoft ATTRIBUTE       MS-Acct-Auth-Type       23      integer Microsoft ATTRIBUTE       MS-Acct-EAP-Type        24      integer Microsoft  ATTRIBUTE       MS-CHAP2-Response       25      string  Microsoft ATTRIBUTE       MS-CHAP2-Success        26      string  Microsoft ATTRIBUTE       MS-CHAP2-CPW            27      string  Microsoft  ATTRIBUTE       MS-Primary-DNS-Server   28      ipaddr  Microsoft ATTRIBUTE       MS-Secondary-DNS-Server 29      ipaddr  Microsoft ATTRIBUTE       MS-Primary-NBNS-Server  30      ipaddr  Microsoft ATTRIBUTE       MS-Secondary-NBNS-Server 31     ipaddr  Microsoft  #ATTRIBUTE      MS-ARAP-Challenge       33      string  Microsoft   # #       Integer Translations #  #       MS-BAP-Usage Values  VALUE           MS-BAP-Usage            Not-Allowed     0 VALUE           MS-BAP-Usage            Allowed         1 VALUE           MS-BAP-Usage            Required        2  #       MS-ARAP-Password-Change-Reason Values  VALUE   MS-ARAP-PW-Change-Reason        Just-Change-Password            1 VALUE   MS-ARAP-PW-Change-Reason        Expired-Password                2 VALUE   MS-ARAP-PW-Change-Reason        Admin-Requires-Password-Change  3 VALUE   MS-ARAP-PW-Change-Reason        Password-Too-Short              4  #       MS-Acct-Auth-Type Values  VALUE           MS-Acct-Auth-Type       PAP             1 VALUE           MS-Acct-Auth-Type       CHAP            2 VALUE           MS-Acct-Auth-Type       MS-CHAP-1       3 VALUE           MS-Acct-Auth-Type       MS-CHAP-2       4 VALUE           MS-Acct-Auth-Type       EAP             5  #       MS-Acct-EAP-Type Values  VALUE           MS-Acct-EAP-Type        MD5             4 VALUE           MS-Acct-EAP-Type        OTP             5 VALUE           MS-Acct-EAP-Type        Generic-Token-Card      6 VALUE           MS-Acct-EAP-Type        TLS             13

And :

# #       Experimental extensions, configuration only (for check-items) #       Names/numbers as per the MERIT extensions (if possible). # ATTRIBUTE       NAS-Identifier          32      string ATTRIBUTE       Proxy-State             33      string ATTRIBUTE       Login-LAT-Service       34      string ATTRIBUTE       Login-LAT-Node          35      string ATTRIBUTE       Login-LAT-Group         36      string ATTRIBUTE       Framed-AppleTalk-Link   37      integer ATTRIBUTE       Framed-AppleTalk-Network 38     integer ATTRIBUTE       Framed-AppleTalk-Zone   39      string ATTRIBUTE       Acct-Input-Packets      47      integer ATTRIBUTE       Acct-Output-Packets     48      integer # 8 is a MERIT extension. VALUE           Service-Type            Authenticate-Only       8

Then include these files in your main radiuclient dictionary by using "INCLUDE" keywords at the end of the /etc/radiusclient/dictionary file:
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft

Note: A common issue is to use the "$INCLUDE" keyword instead of "INCLUDE". Though a quick look at the source code of radiusclient made me doubt about this, I can report that only the INCLUDE keyword work for me (and others).

That's not working

Ok, so you've followed the above steps and it's still not working. So lets double check things before you post to FreeRADIUS mailing lists:

First, check that you have NOT modified any dictionary on the FreeRADIUS server. A common mistake is to use the above dictionary (formatted for radiusclient) on FreeRADIUS. If you have done this, restore the dictionary files from FreeRADIUS package
Check that you are using the INLCUDE keyword in /etc/radiuclient/dictionary file and not "$INCLUDE"

Then let's have a look at your /var/log/messages file on your Poptop VPN server. If you get messages like the one above, then the problem is due to bad radiusclient dictionaries definition:

May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 11 May 29 18:15:11 localhost pppd[16922]: rc_avpair_new: unknown attribute 25

In this case: check again that you get the latest Microsoft dictionary for radiusclient and that you've correctly included it in the radiusclient configuration.

If it's still not working, check the FreeRADIUS debug logs by running it with the "-X" flag.

Check that in the packets you see the following attributes exchanged:
- User-Name
- MS-CHAP-Challenge
- MS-CHAP2-Response

If an access Accept is sent by FreeRADIUS, check that the following attributes are part of the response:
- MS-MPPE-Recv-Key = 0x....
- MS-MPPE-Send-Key = 0x...
- MS-MPPE-Encryption-Policy = 0x...
- MS-MPPE-Encryption-Types = 0x...

==> If not, then have a look to your radiusd.conf setup: especially the "use_mppe" parameter