PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto

Copyright © 2005-2009 Wing S Kwok

by: Wing S Kwok
email: wskwok18 (at) gmail.com

Revision History:

Release 1.5 - 22 March 2009
- Added a section on how to restrict one connection per user

Release 1.4 - 30 September 2008
- Updated information of the Howto to focus on Fedora 8
- Moved FC5/FC6 specific information to Appendix

Release 1.3 - 19 May 2007
- Added info on potential problem of selinux on pptpd
- Added info to build rpm from pptpd tar ball
- Updated version information of software

Release 1.21 - 23 February 2007
- Fixed up typo in dictionary.microsoft

Release 1.2 - 15 January 2007
- Added Fedora Core 6 information

Release 1.1 - 25 September 2006
- Updated version information on kernel, samba and pptpd

Release 1.0 - 7 May 2006
- Updated the Howto to focus on Fedora Core 5
- Rearranged the order of steps to make the walkthrough more logical
- Moved Fedora Core 4 specific info to Appendix

Release 0.8 - 5 March 2006
- Updated information on pptpd, samba version
- Updated information on FC4 kernel version
- Added info on changing MTU size

Release 0.71 - 3 February 2006
- Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.

Release 0.7 -- 1 February 2006
- Section 12.2 has been rewritten.
- Updated information on Samba version.
- Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5

Release 0.6 -- 5 January 2006
- Added a new section on pptp server administration.
- Updated information on Samba version.

Release 0.5 -- 17 November 2005
- Included info on kernel 2.6.15-rc1 and MPPE support

Release 0.4 -- 30 October 2005
- Updated kernel-ppp-mppe version number

Release 0.3 -- 23 October 2005
- added the Acknowledgements section
- added information on problem with FC4 2.6.13 kernel and mppe kernel module
- added information on kernel upgrade and dkms_autoinstaller
- added information on pptp access control
- updated the software version info to reflect the latest available version

Release 0.2 -- 23 September 2005
- Rewrote part of the pptp client configuration section and included split tunneling information.

Release 0.1 -- 12 September 2005
- added Kerberos version information
- added the full path of winbindd_privileged directory
- fixed the VBScript which had a few lines missing
- corrected a few typos
First Release -- 5 September 2005

This document covers how to integrate Poptop with Microsoft Active Directory on Fedora 8. Two different implementations are described: a) winbind; and b) freeradius.


Table of Contents
1. Introduction
2. Disclaimer
3. Acknowledgements
4. The Test Environment
5. Fedora and SELINUX
6. Network Configuration
6.1 Default Route and Static Routes
6.2 Enable Packet Forwarding
7. Install MPPE Kernel Module
8. pppd and pptpd
8.1 pppd
8.2 Install pptpd
9. Samba
9.1 Configure Samba
10. Kerberos
10.1 Configure Kerberos
10.2 Test Kerberos
11. Join the AD Domain
12. pptpd and winbindd
12.1 Enable and Test winbindd
12.2 Configure pptpd
12.3 PPTP Access Control
13. Software for Radius Setup
14. Radiusclient
14.1 radiusclient.conf
14.2 dictionary.microsoft
15. Freeradius
15.1 Configure Freeradius for MSCHAPv2
15.2 PPTP Access Control
16. pptpd and freeradius
16.1 Enable freeradius
16.2 Configure pptpd
17. pptp Client Installation
17.1 Split Tunneling
18. pptp Server Administration
18.1 Who is Online?
18.2 Accounting
18.3 Disconnect a User
18.4 Allow One Connection per User
A1. Install MPPE Module on Fedora Core 4 / 5 / 6
A1.1 Fedora Core 5 / 6
A1.2 Fedora Core 4
A1.3 Kernel Upgrade and dkms_autoinstaller
A2. Update pppd on Fedora Core 4 / 5 / 6
A2.1 Fedora Core 5 / 6
A2.2 Fedora Core 4
A3. Samba for Fedora Core 4 / 5 / 6
A3.1 Fedora Core 5 / 6
A3.2 Fedora Core 4
A4. Software for Radius Setup on Fedora Core 4 / 5 / 6
A4.1 Fedora Core 5 / 6
A4.2 Fedora Core 4
A5. Radiusclient Configuration for Fedora 4 / 5 / 6
A5.1 radiusclient.conf
A5.2 dicitonary.microsoft
A6. Configure Freeradius for MSCHAP2 on Fedora 4 / 5 / 6

1. Introduction

This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the Replacing a Windows PPTP Server with Linux Howto created by Matt Alexander and maintained by James Cameron. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.

The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.

To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.

Note:
- this howto is based on Fedora 8 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.
- Information for Fedora Core 4/5/6 has been moved to Appendix and will not be updated anymore.


2. Disclaimer

This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk.

Any comments on this document will be greatly appreciated..


3. Acknowledgements

Thanks to the following individuals who provided feedback and suggestions to make this document better.

Peter Mueller - suggested to add information on Kerberos version (R0.1)
Francis Lessard - provided details on implementing pptp access control (R0.3)
James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5)
Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71)
Nicolas Ross - pointed out typo in dictionary.microsoft (R1.21)
Frederick Chapleau - info on the potential problem of SELINUX on PPTPD (R1.3)


Next   Content