1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 2"http://www.w3.org/TR/html4/loose.dtd"> 3<html> 4<head> 5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 6<title>Poptop MSCHAP2 ADS Howto</title> 7</head> 8 9<body> 10<p><strong>13. Freeradius</strong></p> 11<p>Freeradius has a massive 57KB configuration file. Fortunately, we only have to change a few lines. </p> 12<hr> 13<a name="mschap2"></a><strong>13.1 Configure Freeradius for MSCHAPv2 14</strong> 15<p>Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.</p> 16<blockquote> 17 <pre>modules {<br> 18 ....[snip]....<br> 19 mschap { 20 authtype = MS-CHAP 21 use_mppe = yes 22 require_encryption = yes 23 require_strong = yes 24 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br> }<br> 25 ....[snip]....<br> 26}</pre> 27</blockquote> 28<p>Save the file. The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. </p> 29<p>The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf. </p> 30<blockquote> 31 <pre>client 127.0.0.1 {<br> #<br> # The shared secret use to "encrypt" and "sign" packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the<br> # default, otherwise it's not a secret any more!<br> #<br> # The secret can be any string, up to 32 characters in length.<br> #<br> secret = testing123 32 33 ....[snip].... 34</pre> 35</blockquote> 36<p><strong>Note</strong>: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other. 37</p> 38<hr> 39<p><strong><a name="access"></a>13.2 PPTP Access Control </strong></p> 40<p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter "--require-membership-of=EXAMPLE+VPN_Allowed". </p> 41<p>In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file. </p> 42<blockquote> 43 <pre>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 44 --username=%{Stripped-User-Name:-%{User-Name:-None}} 45 --challenge=%{mschap:Challenge:-00} 46 --nt-response=%{mschap:NT-Response:-00} 47 --require-membership-of=EXAMPLE+VPN_Allowed"</pre> 48</blockquote><p></p> 49<hr> 50<a href="poptop_ads_howto_10.htm">Next</a> <a href="poptop_ads_howto_8.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a><p> </p> 51</body> 52</html> 53