Encryption and Cryptography
 » 
Poptop
 » 
poptop-server

Poptop and freeradius on debian lenny

View: New views
2 Messages — Rating Filter:   Alert me  

Poptop and freeradius on debian lenny

by ajitabhpandey :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,

I am trying to setup pptp with freeradius on debian lenny. I have
setup freeradius with mysql backend and tested it using the radtest
command and it works. See below:

# radtest myuser mypassword localhost 1812 'mysecret'
Sending Access-Request of id 13 to 127.0.0.1 port 1812
        User-Name = "myuser"
        User-Password = "mypassword"
        NAS-IP-Address = x.y.z.a
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=20

The only three tables where I have inserted values in the database are:

insert into radcheck (username,attribute,op,value) values
('myuser','Crypt-Password',':=',encrypt('mypassword'));
insert into radgroupcheck (groupname,attribute,op,value) values
('dynamic','Auth-Type',':=','Crypt-Local');
insert into radgroupreply (groupname,attribute,op,value) values
('dynamic','Acct-Interim-Interval','=',60);

(I have changed the username/password/NAS-IP)

On the poptop side, following are the configurations:
# cat /etc/pptpd.conf
ppp /usr/sbin/pppd
options /etc/ppp/pptpd-options
debug
delegate
connections 150
localip 10.8.1.1
remoteip 10.8.1.2-150

# cat /etc/ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
mtu 1450
mru 1450
ms-dns 64.68.200.200
ms-dns 205.210.42.205
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
# Debian: do not replace the default route
nodefaultroute
debug
dump
lock
nobsdcomp
deflate 0
# Plugins
plugin radius.so
plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf

# cat /etc/radiusclient/radiusclient.conf
auth_order      radius
login_tries     4
login_timeout   60
nologin         /etc/nologin
issue           /etc/radiusclient/issue
authserver      localhost:1812
acctserver      localhost:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

Now on the client side when I run the command:

# pppd pty "pptp vpn.mydomain.com --nolaunchpppd" debug logfd 2
nodetach noauth nobsdcomp nodeflate name myuser remotename pptp
using channel 63
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe639bb74> <pcomp> <accomp>]
Modem hangup
Connection terminated.
Script pptp vpn.mydomain.com --nolaunchpppd finished (pid 8691), status = 0x0


The log entries on the server end are:

# tail -f /var/log/syslog
Jul  3 13:20:48 vpnserver pptpd[14561]: MGR: Launching
/usr/sbin/pptpctrl to handle client
Jul  3 13:20:48 vpnserver pptpd[14561]: CTRL: Client 116.87.186.234
control connection started
Jul  3 13:20:48 vpnserver pptpd[14561]: CTRL: Received PPTP Control
Message (type: 1)
Jul  3 13:20:48 vpnserver pptpd[14561]: CTRL: Made a START CTRL CONN RPLY packet
Jul  3 13:20:48 vpnserver pptpd[14561]: CTRL: I wrote 156 bytes to the client.
Jul  3 13:20:48 vpnserver pptpd[14561]: CTRL: Sent packet to client
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Received PPTP Control
Message (type: 7)
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Set parameters to
10000000 maxbps, 3 window size
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Made a OUT CALL RPLY packet
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Starting call (launching
pppd, opening GRE)
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: pty_fd = 6
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: tty_fd = 7
Jul  3 13:20:49 vpnserver pptpd[14562]: CTRL (PPPD Launcher): program
binary = /usr/sbin/pppd
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: I wrote 32 bytes to the client.
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Sent packet to client
Jul  3 13:20:49 vpnserver pppd[14562]: The remote system is required
to authenticate itself
Jul  3 13:20:49 vpnserver pppd[14562]: but I couldn't find any
suitable secret (password) for it to use to do so.
Jul  3 13:20:49 vpnserver pptpd[14561]: GRE:
read(fd=6,buffer=610a80,len=8196) from PTY failed: status = -1 error =
Input/output error, usually caused by unexpected termination of pppd,
check option syntax and pppd logs
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: PTY read or GRE write
failed (pty,gre)=(6,7)
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Reaping child PPP[14562]
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Client 116.87.186.234
control connection finished
Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Exiting now
Jul  3 13:20:49 vpnserver pptpd[14406]: MGR: Reaped child 14561


Now when I create a /etc/ppp/chap-secrets file I get authentication
but no IP, so I commented out the line "delegate" from /etc/pptpd.conf
and it worked.

The problem here is the authentication. I have even checked the
freeradius by running it in debug mode that ppp is not sending the
auth request to it.

All I want to do right now is use freeradius (with mysql) for auth and
keep the IP delegation to poptop.

Any help will be appreciated. Please let me know if any other data is required.


Regards.
--
Ajitabh Pandey
http://ajitabhpandey.info/ | http://unixclinic.net/ |
http://buddingthoughts.info
ICQ - 150615062
Registered Linux User - 240748

------------------------------------------------------------------------------
_______________________________________________
Poptop-server mailing list
Poptop-server@...
https://lists.sourceforge.net/lists/listinfo/poptop-server

Re: Poptop and freeradius on debian lenny

by James Cameron-8 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Fri, Jul 03, 2009 at 09:32:11PM +0800, Ajitabh Pandey wrote:
> Jul  3 13:20:49 vpnserver pptpd[14561]: CTRL: Sent packet to client
> Jul  3 13:20:49 vpnserver pppd[14562]: The remote system is required to authenticate itself
> Jul  3 13:20:49 vpnserver pppd[14562]: but I couldn't find any suitable secret (password) for it to use to do so.

pppd is failing because it knows of no way to resolve authentication.
The rest of the output at this point is a cascade.  This must be a
configuration issue.

But I don't know what is wrong.

Despite having "debug" and "dump" options, there is no pppd debug output
in your log.  Reconfigure syslog to capture debug output and check that
pppd is being given all the correct options.

> Now when I create a /etc/ppp/chap-secrets file I get authentication
> but no IP, so I commented out the line "delegate" from /etc/pptpd.conf
> and it worked.

See man pptpd.conf for the explanation of "delegate".  What you describe
in this paragraph sounds normal.  You haven't given pppd an IP address
to use, so naturally you won't get an IP address for the link.

> All I want to do right now is use freeradius (with mysql) for auth and
> keep the IP delegation to poptop.

pptpd needs "delegate" to be absent in order to perform IP allocation.

--
James Cameron    mailto:quozl@...     http://quozl.netrek.org/

------------------------------------------------------------------------------
_______________________________________________
Poptop-server mailing list
Poptop-server@...
https://lists.sourceforge.net/lists/listinfo/poptop-server
Free embeddable forum powered by Nabble Forum Help