Quick Look: Linux VPN with MS IAS

| | Comments (1)
I've been running a simple Linux VPN for one of my clients even though they are an active directory domain. I'd toyed with modifying pppd to use PAM to latch onto some other authentication methods like ldap or smb. Unfortunately, the password comes already hashed. So, you can't manipulate it for any kind of comparison (except another program that will accept MSCHAP-2 hashed passwords). The solution?

5 words, Remote Authentication Dial-In User Service or RADIUS. Radius is an extensible standard for authenticating internet users. Windows 2000 server has a service built in called Internet Authentication Services or IAS. This service is used for authentication RAS users in a "normal" windows domain.

If you're reading this page, you're probably already using ppp 2.4.2b3. You've probably already found the exceptional open source PPTP server PoPToP. You've probably even patched your 2.4 or above kernel to do MPPE and MPPC on behalf of the ppp interface.

That's where I was a couple of days ago anyway. I was just using the plain old chap-secrets file with a shared password for the whole company. Not elegant, but even using PPTP sucks as it is not secure and hence not elegant.

The final piece of this puzzle is getting PPPD to authenticate off of the IAS server. Setting up the IAS server is cake. Install the service from Add/Remove Programs. Launch it from Start->Settings->ControlPanel->AdministrativeTools->InternetAuthenticationServices. Add a new client using your linux vpn server's name or ip and setting a password you're sure to remember.

Now we're back on the linux box in the ppp source folder. I'd give a warning not to use CVS as of 3/7/2004 1:31PM because they are tinkering with improving the MS CHAP code, YMMV. You need to first patch pppd to work with MS. Then, go into the pppd/plugins/radius directory and compile and install. This installs a radiusclient(ftp) package with programs and libraries and configuration files. It also installs a plugin for pppd.

Now you just need to set up pppd. Here are my config files.

/etc/pptpd.conf


speed 115200
option /etc/ppp/pptpd-options
debug
localip 192.168.1.254
remoteip 192.168.1.110-130
/etc/ppp/pptpd-options

name router
domain MYDOMAIN.COM
auth
require-mschap-v2
require-mppe-128
nomppe-40
ms-dns 192.168.1.2
ms-wins 192.168.1.2
netmask 255.255.255.0
nodefaultroute
proxyarp
lock
logfile /var/log/pptpd.log
plugin radius.so
plugin radattr.so
radius-config-file /etc/ppp/radiusclient.conf
/etc/ppp/radiusclient.conf

auth_order      radius
login_tries     10
login_timeout   1
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      192.168.1.2:1812
acctserver      192.168.1.2:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3

/etc/radiusclient/servers


myradiusserver.mydomain.com MyIASPassword

This allows a Win32 computer to connect to the VPN using the person's windows username and password. I've also connected with Linux and Mac OS X clients. I just got this working like this recently and still have a number of tweaks. Here are some caveats.

  • Sometimes the connection doesn't work. Just let it redial. I've never had it take more than 3 tries. I'm investigating. I think it might be a timeout thing. login_timeout?
  • Turn off default route in the TCP/IP advanced properties on the windows client.
  • You need to add the domain to the windows client. default_realm?
  • If you get 1717 error on windows client reboot. An installer probably has loose ends.
  • No matter what rules you use in IAS it seems the user account must have "Dial-in" enabled.

Anyway. Cheers and happy tunneling.

1 Comments

I always get an error:
radius.so: undefined symbol: MD5Final

I modified the debian source package of ppp
everything compiled fine. afterwards i followd your instructions.

maybe someone can help.