L2TP with RADIUS HOWTO
Note that when one talks about “L2TP with RADIUS”, one is really talking about L2TP, with PPP authentication via RADIUS. You never use L2TP all by itself - it's designed to connect two PPP end points (“client” and “server”) over an intermediate routable network.
So what we'll actually be looking at here is how to configure pppd to use RADIUS authentication, with L2TPd invoking the RADIUS-capable pppd.
- TACACS and RADIUS plugin for pppd from
- MPPE + MSCHAP2 patches from http://www.shorewall.net/pub/shorewall/pptp/
- Original pppd 2.4.1 from ftp://ftp.samba.org/pub/ppp/ppp-2.4.1.tar.gz
- freeradius 0.9.3 from ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
- PostgreSQL 7.4 was already installed on my Mac OS X machine
- RFC 2661 (L2TP) http://www.ietf.org/rfc/rfc2661.txt
- RFC 1661 (PPP) http://www.ietf.org/rfc/rfc1661.txt
Note we are using 2.4.1 of pppd, not 2.4.2. This is because the plugins interface changed between the two versions (so perhaps it should have been 2.4.1 vs 2.5.0? but what's done is done).
It shouldn't matter which machine the PostgreSQL server is installed on - let's see how wrong I am.
[EMAIL PROTECTED]:/home/grail/src/l2tpd-radius-howto] 22:20 [0|26]% ls -l total 2468 drwxr-xr-x 15 grail staff 1024 Nov 21 07:16 freeradius-0.9.3 -rw-r–r– 1 grail staff 1819922 Feb 11 22:13 freeradius-0.9.3.tar.gz drwxr-xr-x 16 grail staff 1024 Mar 25 2001 ppp-2.4.1 -rw-r–r– 1 grail staff 495 Feb 11 22:13 ppp-2.4.1-MSCHAPv2-fix.patch -rw-r–r– 1 grail staff 136956 Feb 11 22:19 ppp-2.4.1-openssl-0.9.6-mppe-patch -rw-r–r– 1 grail staff 536746 Feb 11 22:11 ppp-2.4.1.tar.gz -rw-r–r– 1 grail staff 6638 Feb 11 22:12 pppd-2.4.1-plugin-hooks.patch -rw-r–r– 1 grail staff 7901 Feb 11 22:12 pppd-mppe-2.4.1-plugin-hooks.patch
cd ppp-2.4.1 patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch ./configure cd pppd patch -p1 < ../../pppd-mppe-2.4.1-plugin-hooks.patch What the…? I got heaps of rejected patch lines.
Back to basics. Just unpack the 2.4.1 and try to compile it cleanly. That worked fine for me. Now apply the MSCHAP patch. Nope - that doesn't work. The mppe patch introduces a symbol, “CHAP_MICROSOFT_V2” which it uses but never defines. Will have to find where this comes from. If anyone can help me compile pppd with the mppe patch properly, please let me know, and I'll include the details in this HOWTO.
So let's just go for the RADIUS/TACACS patch… which works fine, apparently.
Configure your RADIUS server Magic happens here. Find out how to configure your RADIUS server elsewhere. I tried freeradius under Mac OS X and got the problem described here: http://lists.cistron.nl/pipermail/freeradius-users/2002-September/011609.html. If anyone can figure that one out, let me know!
After that botched attempt, I compiled freeradius under Debian GNU/Linux v3.0 instead. In retrospect, I probably would have been better off getting a backport. Nevermind.
So now, I have a pppd that can do RADIUS/TACACS, and I have a RADIUS server.
I'm up to here, 2004-02-18 - AMS Next step is patching (see below) and compiling L2TPD. I'll stick with Linux for now - at a later date I might explore compiling L2TPD on Mac OS X. I don't think it's particularly portable though.
Then configuring L2TPD as LAC and LNS on different machines and watching the control connection being set up and torn down (with copious reference to the RFC). This probably belongs in a L2TP HOWTO, not a L2TP-RADIUS HOWTO.
Then configuring L2TPD to invoke PPPD for a trivial connection (with authentication through chap-secrets). I'll have to remember the (trivial) L2TPD patch to pass on the calling number and called number for the RADIUS plugin to pick up.
Then configure PPPD to actually use RADIUS for AAA and use L2TPD to invoke PPPD for a trivial connection with authentication through RADIUS (chap-secrets empty).
Then end-to-end testing with L2TPD to ensure that RADIUS AAA records are being properly recorded.
Then an example with multiple PPP interfaces per LAC, and multiple LACs. Perhaps throw in some route munging too, and definitely cover the perennial PMTU problem. Though that really belongs in a L2TP HOWTO, not in the L2TP-RADIUS HOWTO.
Asides: Setting up freeradius to handle an 802.1x network: http://www.jepstone.net/index.cgi/Wireless/WiFi/OSXRadius8021X.writeback