15. Freeradius

Firstly, for Fedora 8, add user radiusd to group wbpriv.

[root@pptp ~]# usermod -G wbpriv radiusd

For Fedora 4 / 5 / 6, change the permission of the winbind_privileged directory.

[root@pptp ~]# chgrp radiusd /var/cache/samba/winbindd_privileged/

Secondly, we will need to modify the freeradius configuration file. Fortunately, we have only to change a few lines.

15.1 Configure Freeradius for MSCHAPv2

Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.

modules {
mschap { use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. Save the file.

The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf.

client {
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
# The secret can be any string, up to 32 characters in length.
secret = testing123 ....[snip]....

Note: if you change the secret key, you must modify the /etc/radiusclient-ng/servers so that they match each other.

Refer to Appendix 6 for information on Fedora 4 / 5 / 6.

15.2 PPTP Access Control

The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter "--require-membership-of=EXAMPLE+VPN_Allowed".

In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file.

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 

Next   Previous  Content