1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 2"http://www.w3.org/TR/html4/loose.dtd"> 3<html> 4<head> 5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 6<title>Poptop MSCHAP2 ADS Howto</title> 7</head> 8 9<body> 10<p><strong>11. Software for R</strong><strong>adius Setup</strong></p> 11<p>In additional to the software we installed in the previous sections, we need two more. Freeradius is one of them. FC4 comes with freeradius-1.0.2-2 but it is broken. At the time of writing, the latest one is freeradius-1.0.4-1.FC4.1. Get it from yum as it has quite a few dependences. yum will resolve all required dependences automagically.</p> 12<blockquote> 13 <pre>[root@pptp ~]# yum install freeradius </pre> 14</blockquote> 15<p>The second software you will need is radiusclient. Get the FC4 rpm, radiusclient-0.3.2-0.2.fc4.rf.i386.rpm, from <a href="http://rpmforge.net/user/packages/radiusclient/">RPMforge</a>. Install it with "rpm -ivh".</p> 16<hr> 17<p><strong><a name="rclient"></a>12. Radiusclient</strong></p> 18<p>Radiusclient is required because the pppd radius plugin relies on it. There are a few configuration files in /etc/radiusclient to look at. The first one is /etc/radiusclient/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:</p> 19<blockquote> 20 <pre>#Server Name or Client/Server pair Key<br>#---------------- ---------------<br>localhost testing123 </pre> 21</blockquote> 22<p>The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. The default is testing123. Of course, it is a bad idea to use the default.</p> 23<hr> 24<a name="rclientconf"></a><strong>12.1 radiusclient.conf</strong> 25<p>The main configuration file for radiusclient is /etc/radiusclient/radiusclient.conf. Here is how it should be when all remarks are stripped off:</p> 26<blockquote> 27 <pre>auth_order radius 28login_tries 4 29login_timeout 60 30nologin /etc/nologin 31issue /etc/radiusclient/issue 32authserver localhost 33acctserver localhost 34servers /etc/radiusclient/servers 35dictionary /etc/radiusclient/dictionary 36login_radius /usr/sbin/login.radius 37seqfile /var/run/radius.seq 38mapfile /etc/radiusclient/port-id-map 39default_realm 40radius_timeout 10 41radius_retries 3</pre> 42</blockquote> 43<p>Basically, all of the lines are default. I have not changed anything.</p> 44<hr> 45<strong><a name="dict"></a>12.2 dictionary.microsoft</strong> 46<p>In /etc/radiusclient, there is a file called dictionary. Add the following line to the end of the file.</p> 47<blockquote> 48 <pre>INCLUDE /etc/radiusclient/dictionary.microsoft</pre> 49</blockquote> 50<p>The file, dictionary.microsoft, is not included in the radiusclient. We can modify the one from freeradius so that it can be used by pppd.</p> 51<p>First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version: </p> 52<blockquote> 53 <pre>#<br># Microsoft's VSA's, from RFC 2548<br>#<br># $Id: poptop_ads_howto_8.htm,v 1.3 2006/02/01 22:13:34 wskwok Exp $<br># 54 55VENDOR Microsoft 311 Microsoft 56 57ATTRIBUTE MS-CHAP-Response 1 string Mircosoft<br>ATTRIBUTE MS-CHAP-Error 2 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-1 3 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-2 4 string Mircosoft<br>ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Mircosoft<br>ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Mircosoft<br>ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft<br># This is referred to as both singular and plural in the RFC.<br># Plural seems to make more sense.<br>ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft<br>ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft<br>ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft<br>ATTRIBUTE MS-CHAP-Domain 10 string Mircosoft<br>ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft<br>ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1<br>ATTRIBUTE MS-BAP-Usage 13 integer Microsoft<br>ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft<br>ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft<br>ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft<br>ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft<br>ATTRIBUTE MS-RAS-Version 18 string Microsoft<br>ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft<br>ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft<br>ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft 58 59ATTRIBUTE MS-Filter 22 string Mircosoft<br>ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft<br>ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft<br> 60ATTRIBUTE MS-CHAP2-Response 25 string Microsoft<br>ATTRIBUTE MS-CHAP2-Success 26 string Microsoft<br>ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft 61 62ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr<br>ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr<br>ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr<br>ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr 63 64#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft 65 66#<br># Integer Translations<br># 67 68# MS-BAP-Usage Values 69 70VALUE MS-BAP-Usage Not-Allowed 0<br>VALUE MS-BAP-Usage Allowed 1<br>VALUE MS-BAP-Usage Required 2 71 72# MS-ARAP-Password-Change-Reason Values 73 74VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1<br>VALUE MS-ARAP-PW-Change-Reason Expired-Password 2<br>VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3<br>VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 75 76# MS-Acct-Auth-Type Values 77 78VALUE MS-Acct-Auth-Type PAP 1<br>VALUE MS-Acct-Auth-Type CHAP 2<br>VALUE MS-Acct-Auth-Type MS-CHAP-1 3<br>VALUE MS-Acct-Auth-Type MS-CHAP-2 4<br>VALUE MS-Acct-Auth-Type EAP 5 79 80# MS-Acct-EAP-Type Values 81 82VALUE MS-Acct-EAP-Type MD5 4<br>VALUE MS-Acct-EAP-Type OTP 5<br>VALUE MS-Acct-EAP-Type Generic-Token-Card 6<br>VALUE MS-Acct-EAP-Type TLS 13 83 84END-VENDOR Microsoft 85</pre> 86</blockquote><p></p> 87<hr> 88<a href="poptop_ads_howto_9.htm">Next</a> <a href="poptop_ads_howto_7.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> 89<p></p> 90</body> 91</html> 92