13. Software for Radius Setup

freeradius is not in the Fedora 8 DVD although it is in the F8 yum repository. Therefore, by default, it is not installed. Installing it through yum is recommended as it has quite a few dependences. yum will resolve all required dependences automagically. The version of freeradius in F8 is v1.1.7.

[root@pptp ~]# yum install freeradius 

The second software you will need is radiusclient-ng. It is also available in the F8 yum repository. The version of the software is v0.5.6.

[root@pptp ~]# yum install radiusclient-ng 

Note: information for FC4 / 5 / 6 is in Appendix A4.

14. radiusclient-ng

The pppd radius plugin relies on the radiusclient package. Fedora, however, provides radiusclient-ng. To make pppd work with radiusclient-ng, create a soft link with the following command.

[root@pptp ~]# cd /etc
[root@pptp etc]# ln -s radiusclient-ng radiusclient

There are a few configuration files in /etc/radiusclient-ng to look at. The first one is /etc/radiusclient-ng/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:

#Server Name or Client/Server pair              Key
#---------------- ---------------
localhost testing123

The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. Older version of freeradius has the default key "testing123". Of course, it is a bad idea to use the default.

14.1 radiusclient.conf

The main configuration file for radiusclient is /etc/radiusclient-ng/radiusclient.conf. Here is how it should be when all remarks are stripped off:

auth_order radius
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient-ng/issue
authserver localhost
acctserver localhost
servers /etc/radiusclient-ng/servers
dictionary /usr/share/radiusclient-ng/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient-ng/port-id-map
radius_timeout 10
radius_retries 3
#bindaddr *
login_local /bin/login

Basically, all of the lines are default. I have not changed anything.

14.2 dictionary.microsoft

In /usr/share/radiusclient-ng directory, there is a file called dictionary. Add the following line to the end of the file.

INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft

The file, dictionary.microsoft, is not included in the radiusclient-ng package. We can modify the one from freeradius so that it can be used by pppd.

First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /usr/share/radiusclient-ng. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version:

# Microsoft's VSA's, from RFC 2548
# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $
# VENDOR Microsoft 311 Microsoft BEGIN VENDOR Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft #
# Integer Translations
# # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13 END-VENDOR Microsoft

Next   Previous  Content