Microsoft Windows
Clients can access to Linux Samba server
by
VPN (Point to Point Tunnel Protocol ). This document explains How to
configure Radius and Pptpd on Linux 2.6.* kernel. Ldap configuration is
explained in another section.
Overview:
- User/Password authentication is performed by Radius
server.
- Ldap is the database which contains user/password and
other
informations.
- Authentication method is ms-chap-v2 with 128bit microsoft
point to
point encryption(MPPE).
Environment:
- Debian Linux lenny amd64
- kernel 2.6.20.7
- pptpd v1.3.0
- freeradius v1.1.3
Conditions:
- Ldap server is already configured.
server
name ldap.abcde.com
basedn = ou=People,dc=abcde,dc=com
admin entry = cn=admin,dc=abcde,dc=com
admin password = aaaaa
- Radius is a client/server pair and they run on the same
server.
Configure
Radius Client:
- Install radiusclient and freeradius by "apt-get
install radiusclient1
freeradius" .
- Go into /etc/radiusclient directory.
- We need configure dictionary, dictionary.microsoft,
radiusclient.conf and servers.
- First configure dictionary. This requires only one
modification. The last line must be
INCLUDE
/etc/rediusclient/dictionary.microsoft
- You might see "$INCLUDE dictionary.microsoft". Due
to a syntax problem, it does not work correctly. You must delete $ sign
and type full path of the include file.
- Next, configure dictionary.microsoft. You couldn't find
the
file in
the directory and must copy it from
/usr/share/freeradius/dictionary.microsoft.
- The syntax of this file is new but radius.so could
understand only old one. We have to modify the file.
- Delete "BEGIN-VENDOR MICROSOFT" line.
- Delete "END-VENDOR MICROSOFT" line.
- Delete lines which start "ATTRIBUTE" and contain
"encrypt=1" or "encrypt=2" .
- Replace all occurrences of the word "octets" by
"string" .
- Add the word "Microsoft" to the end of the line which
start with "ATTRIBUTE" .
Note: Some
lines have a comment
starting
with "#" at the end of line. In this case, you must add the word before
the comment.
- Insert following three lines if necessary.
ATTRIBUTE
MS-MPPE-Encryption-Policy 7 string Microsoft
ATTRIBUTE
MS-MPPE-Send-Key
16 string Microsoft
ATTRIBUTE
MS-MPPE-Recv-Key
17 string Microsoft
Note: These three lines are basically
contained already, but some version of freeradius lack them.
- Third configure radiusclient.conf.
auth_order radius
auth_server
localhost
acctserver
localhost
servers
/etc/radiusclient/servers
These four line are important. Auth_order line normally
shows "radius,local" but "local" sometimes causes unexpected
side effects. You would better delete it.
Localhost
means
this server.
Radius server will run on the
same server.
- Configure servers.
localhost
seckeybbb
This file contains only one line, server name and security
key. This key must be the same as one that Radius server indicate. I
will explain it later.
Configure
Radius Server:
- Go into /etc/freeeradius directory.
- We needs configure clients.conf, ldap.attrmap,
radiusd.conf
and
users.
- Configure clients.conf. This file describes what clients
can access
the server.
client 127.0.0.1 {
secret = seckeybbb
shortname = localhost
nastype = other
}
At this time, Radius server and client run on the same
machine, so that 127.0.0.1 is the only necessary entry. seckeybbb is
the name of security key which is determined in the client
configuration.
- Configure ldap.attrmap. This file describe what name of
attribute of
Radius fits to that of Ldap. Basically default settings is enough
except
the three lines.
checkItem
LM-Password
sambaLMPassword
checkItem
NT-Password
sambaNTPassword
#checkItem
SMB-Account-CTRL-TEXT
sambaAcctFlags
lmPassword
changed to
sambaLMPassword, ntPassword changed
to sambaNTPassword and accFlags changed to sambaAccFlags after samba3.0
. CheckItem must be commented out in the current version because the
data including white spaces cause a problem.
- Configure radiusd.conf This file contains many
functions but
most of them accept default settings. We only change modules.
- Modules section includes pap, chap, pam, unix, eap,
mschap, ldap and others. We needs configure only mschap and ldap. Other
settings may be commented out or left alone.
- Modules section defines what and how to use functions.
- In mschap, we have to configure the three lines.
use_mppe = yes
require_encryption = yes
require_strong = yes
- In ldap, following six lines have to be configured.
server
=
"localhost"
identity = "cn=admin,dc=abcde,dc=com"
password = aaaaa
basedn =
"ou=People,dc=abcde,dc=com"
filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
#access_attr =
"dialupAccess"
Identity and password are the administrative entry
of Ldap server. I am not sure but I suppose these lines might be
unnecessary if ldap is configured that anyone can access the database
with this basedn and filter.
When you see the error message "rlm_mschap:
No User-Password configured. Cannot create LM-Password.", you
must add these two lines or reconfigure ldap server that anyone can
access the database without authentication.
- Configure sites-available/default This file contains authorize
and authenticate section. We have to change these modules.
- Authorize Section declares what method will be used.
This time, Mschap and Ldap are the only methods required.
authorize {
ldap
mschap
}
- Authenticate Section declares what authenticate method will
be used. Mschap is the only one at this time.
authenticate {
Auth-Type MS-CHAP {
mschap
} }
Note: Even
though using ldap
server currently, it must never declare ldap here.
Authentication method is mschap, not ldap.
- Configure users. This file explains what client
choose what methods or functions.
DEFAULT Auth-Type =
MS-CHAP
NAS-IP-Address = 127.0.0.1
The only client is 127.0.0.1(localhost) and it requires MS-CHAP. Again,
Auth-Type = LDAP is not a good idea.
Configure
Pptpd:
- Install pptpd by "apt-get install pptpd".
- We have to configure /etc/ppp/pptpd-options and
/etc/pptpd.conf.
- Configure pptpd-options.
# Name of the local system for
authentication purposes
name gateway
# Optional: domain name
to
use for authentication
domain abcde.com
# Auth & Encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
# specifies the
secondary
DNS address.
ms-dns 10.10.10.1
ms-dns 10.10.10.2
plugin radius.so
Authentication
is only mschap
version 2 and other methods are refused. Microsoft point to pint
encryption 128bit version (mppe-128) is required. Plugin radius.so is
required.
- Configure pptpd.conf.
option /etc/ppp/pptpd-options
localip 10.10.10.4
remoteip 10.10.10.11-40
Localip is IP address of this server and remote IPs are clients' ip
addresses which the server leases.
How
to Confirm settings:
- Start pptpd and radius server.
# /etc/init.d/freeradius restart
# /etc/init.d/pptpd
restart
- Connect from Windows client.
- If failed, check /var/log/syslog.
When you find
error message "MPPE required but
not available",
check dictionary.microsoft. Perhaps, you missed MPPE attributes. See Configuration Radius Client 7 - f .
Vote: Is this information valuable?
|