MPPE with PPTP - external module (P K)
P K
getpkme at gmail.com
Mon Apr 7 15:36:16 CEST 2014
Thanks Alan & Andre. Andre has shipped 4.2.4.1 version of multiotp
which behaves like ntlm_auth (request-nt-key) and returns NT_KEY. I've
tested this and it works perfectly on VPN (PPTP + MPPE). radtest shows
the MPPE fields being returned. I'll summarise the config for people
who may be looking for the solution in future:
Summary:
Since I use the same radius server for various NAS and different
protocols, I configured to operate on IP Address of NAS.
1. Create module/multiotp with the following contents:
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/path/to/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
shell_escape = yes
}
2. Copy module/mschap to module/multiotpmschap. Change the following
line in multiotpmschap:
"mschap {"
----->
"mschap multiotpmschap {"
Also change ntlm_auth variable:
ntlm_auth = "/path/to/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
3. Change sites-available/default
Make sure this line is anywhere below "mschap" in Authorize section:
# Change 172.17.17.17 to your NAS IP
if (NAS-IP-Address =~ /172\.17\.17\.17/i) {
if (control:Auth-Type == 'MS-CHAP') {
update control {
Auth-Type := multiotpmschap
}
}
else {
update control {
Auth-Type := multiotp
}
}
}
So effectively, if NAS is 172.17,17,17 and Auth-Type is set to MS-CHAP
(by mschap module) - we set the Auth-Type to multiotpmschap. Else -
for chap and pap, we use multiotp.
4. Finally add this in Authenticate section
Auth-Type multiotp {
multiotp
}
Auth-Type multiotpmschap {
multiotpmschap
}
Test with radtest:
-----------------
radtest -t mschap MYUSER MYMOTPPASSWD localhost 10 MYRADIUSPASSWD -1
172.17.17.17
Sending Access-Request of id 19 to 127.0.0.1 port 1812
User-Name = "MYUSER"
NAS-IP-Address = 172.17.17.17
NAS-Port = 10
Framed-Protocol = PPP
MS-CHAP-Challenge = 0xc90c5f25c89f571b
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000fde990c33e7e7ab22531fb74d2176006423f992ef6372c53
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=19, length=84
MS-CHAP-MPPE-Keys =
0x00000000000000005d6292d8bd881a63d8e05973b517da5c0000000000000000
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000006
Note the MPPE keys being returned.
PS: Step 2 & 3 is required if you want to operate on multiple NAS and
change behaviour. If you want to use multiotp for all mschap
regardless of NAS then one can simply enable ntlm_auth to use multiotp
directly. No need to make copy.
Hope this helps someone.
Thanks again!
On 4 April 2014 14:05, P K <getpkme at gmail.com> wrote:
> Thanks Alan. I understand now.
>
> On 4 April 2014 13:30, Alan DeKok <aland at deployingradius.com> wrote:
>> P K wrote:
>>> I guess what Andre is asking is:
>>>
>>> 1. Is there any way he could make changes to multiOTP so that it
>>> passes the NT Password back to freeradius so that freeradius creates
>>> the mppe stuff (MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc) and sends to
>>> NAS? Is yes then what is the parameter name that freeradius will need
>>> to the mppe bit?
>>
>> Yes. The mschap program already does this using ntlm_auth. So... you
>> make MultiOTP behave the same as ntlm_auth.
>>
>>> If not then,
>>> 2. Am I correct in understanding that multiOTP (when executed using
>>> exec) needs to send MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc as output
>>> to freeradius? RFC2548 describes the process to create these keys.
>>
>> That won't work for a number of reasons.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list