pppd/pptp + freeradius + static IP FYI

Michael Gale michael.gale at pason.com
Fri Oct 20 17:49:54 CEST 2006 

Hello,

	FYI - Requirements for me to give out static IP address to users using 
the following:

pptpd-1.3.3-1.fc4
ppp-2.4.3-5.fc4
freeradius-mysql-1.1.3-1
freeradius-debuginfo-1.1.3-1
freeradius-1.1.3-1
freeradius-unixODBC-1.1.3-1
freeradius-postgresql-1.1.3-1

I have a rlm_perl module that I use to authenticate users and provide 
static IP addresses. I came across the following info / issues when 
setting this up:

1. /etc/raddb/users file
	This file contained a default entry for "Framed-IP-Address" which was 
overriding the value set by the rlm_perl module. The "DEFAULT" options 
needed to be changed to remove the setting of the IP address.

2. /etc/pptpd.conf file
	In this file I uncommented the "delegate" option to allow the IP 
address to be set by the radius or chap-secrets. So PPTP will NOT pass 
an IP address to pppd. So disables the localip and remoteip options at 
the bottom.

	* With this option commented out, the IP address returned by freeradius 
was still being taken and given to the client, however the pptpd 
documentation says to enable the "delegate" option if you are going to 
do that.

3. /etc/ppp/options.pptpd file
	Once the "delegate" option was enabled, pppd would fail with the  error 
"Could not determine local IP address". Since this address is no longer 
being set. Simple added the same IP address used in pptpd.conf localip 
to the options.pptpd file in the format:
ipaddress:

According to the man page:
OPTIONS
        <local_IP_address>:<remote_IP_address>
               Set  the  local  and/or remote interface IP addresses. 
Either one may be omitted.  The IP addresses can be specified with a 
host name or in decimal dot notation (e.g. 150.234.56.78).  The default 
local address is the (first) IP address of the system (unless the 
noipdefault option is  given).   The  remote  address will be obtained 
from the peer if not specified in any option.  Thus, in simple cases, 
this option is not required.  If a local and/or remote IP address is 
specified with this option, pppd will not accept a different value from 
the  peer  in  the IPCP negotiation, unless the ipcp-accept-local and/or 
ipcp-accept-remote options are given, respectively.

I added the system's IP address with the colon, with allowed pppd to 
determine it's localip and radius to set the client's IP address.


-- 
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.

More information about the Freeradius-Users mailing list