freeRADIUS + POPTOP

Neville nev at itsnev.co.uk
Sat May 23 00:39:32 CEST 2009 

Firstly, let me apologies now for asking what is most probably a simple question to you long standing veterans of freeRADIUS.

I've search the INTERNET for 5 days now and late into the evening, but I'm totally stumped in resolving my problem, so I would appreciate any guidance from the experts.  I've configured as per the many guides I've found and have a basic understanding of how this all works, but there is no information anywhere on how to setup the Users / Client details for freeRADIUS.

I've been using poptop (pptpd) server for several weeks, with great success, but now I wish to introduce freeRADIUS.

The problem, I'm facing is the allocation of IP address / GW / DNS by freeRADIUS for the VPN connections coming onto my server.

my service PrivateIP address is 19x.xxx.xxx.190

I've iptables setup to forward all NAT traffic through the PRIVATEIP, but allocation of a GW of 10.0.0.1 and a Client IP of 10.0.0.200

However, when I connect and freeRADIUS authenticates me SUCCESSFULLY. I get given a IP of 192.168.2.82 from the test_pool, but pool range-start = 10.0.0.100 range-stop = 10.0.0.199 which is totally different to the address allocated by the pool. ANY IDEAS?

/var/log/messages

May 22 21:49:13 server pppd[765]: MPPE 128-bit stateless compression enabled
May 22 21:49:15 server pppd[765]: Cannot determine ethernet address for proxy ARP
May 22 21:49:15 server pppd[765]: local  IP address 10.0.0.1
May 22 21:49:15 server pppd[765]: remote IP address 192.168.2.82

radiusd -X


rad_recv: Access-Request packet from host 127.0.0.1 port 34510, id=245, length=133
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test1"
        MS-CHAP-Challenge = 0xd4fd1b2f3b03fa424ae2ccc6dcd11029
        MS-CHAP2-Response = 0x87001d6e9a747c3545dd123d19c410c037be00000000000000002b9c7e96783abd1954a72ae8f4bc4733b1470477ba725366
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522
[auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522
[auth_log]      expand: %t -> Fri May 22 22:46:15 2009
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 70
[files] users: Matched entry test1 at line 77
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for test1 with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
+- entering group post-auth {...}
[test_pool]     expand: %{NAS-IP-Address} %{NAS-Port} -> 127.0.0.1 0
[test_pool] MD5 on 'key' directive maps to: ee0282d57992a30bce29ea43d092ac16
[test_pool] Searching for an entry for key: 'ee0282d57992a30bce29ea43d092ac16'
rlm_ippool: Allocating ip to key: 'ee0282d57992a30bce29ea43d092ac16'
[test_pool] num: 1
[test_pool] Allocated ip 192.168.2.82 to client key: ee0282d57992a30bce29ea43d092ac16
++[test_pool] returns ok
++[exec] returns noop
Sending Access-Accept of id 245 to 127.0.0.1 port 34510
        Service-Type = Framed-User
        Session-Timeout = 65000
        Framed-Protocol = PPP
        Framed-MTU = 1400
        MS-CHAP2-Success = 0x87533d46313037374533443535323430343534463737333338463639364534383642374434433244333842
        MS-MPPE-Recv-Key = 0x5a21400d6e5601f9c7201a94d401eefb
        MS-MPPE-Send-Key = 0x14eadb5ada027ccdd63a6cf372f0defd
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        Framed-IP-Address = 192.168.2.82
        Framed-IP-Netmask = 255.255.255.0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 43515, id=246, length=97
        Acct-Session-Id = "4A172B390A9300"
        User-Name = "test1"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Authentic = RADIUS
        NAS-Port-Type = Async
        Framed-IP-Address = 192.168.2.82
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4A172B390A9300",User-Name = "test1"'
[acct_unique] Acct-Unique-Session-ID = "29e101f9a598e8fe".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/detail-20090522
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/detail-20090522
[detail]        expand: %t -> Fri May 22 22:46:17 2009
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> test1
++[radutmp] returns ok
[test_pool] This is not an Accounting-Stop. Return NOOP.
++[test_pool] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> test1
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 246 to 127.0.0.1 port 43515
Finished request 1.
Cleaning up request 1 ID 246 with timestamp +44
Going to the next request
Waking up in 2.9 seconds.
Cleaning up request 0 ID 245 with timestamp +42
Ready to process requests.

freeRADIUS Configurations

users

DEFAULT Pool-Name := test_pool
        Fall-Through = Yes

test1 Cleartext-Password := "test1"
        Service-Type = Framed-User,
        Session-Timeout = 65000,
        Framed-Protocol = PPP,
        Framed-MTU = 1400,

ippool module

ippool test_pool {
        range-start = 10.0.0.100
        range-stop = 10.0.0.199
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${db_dir}/db.ippool
        ip-index = ${db_dir}/db.ipindex
        override = no
        maximum-timeout = 0
        #key = "%{NAS-IP-Address} %{NAS-Port}"
}


POPTOP Configuration Files

/etc/ppp/options.pptpd

name pptpd
#chapms-strip-domain
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 208.67.222.222
ms-dns 208.67.222.220
proxyarp
debug
dump
lock
nobsdcomp 
novj
novjccomp
noipv6
noipx
nologfd
plugin radius.so
plugin radattr.so


/etc/pptpd.conf

ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
debug
noipparam
#logwtmp
#bcrelay eth1
delegate
connections 100
localip 10.0.0.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090522/a07551cf/attachment.html>

More information about the Freeradius-Users mailing list