It seems like there is not a good explanation in any one place on how to set this up. Most of what follows was assembled from existing documentation. It took a while to piece these steps togather and make it work, so I thought I would share how I did it.
This configuration will allow Linux and Windows clients to dial in to your network, functioning similarly to an WindowsNT RAS server. Users will be authenticated to a RADIUS server. Among other things, this provides a convenient method to authenticate users to an NT domain or Active Directory. Clients must authenticate using PAP (CHAP is not supported).
Prerequisites: Working install of RedHat 8.0 (pam_radius_auth will not work with the gcc included on RH 9) Working (non-win) modem (assumed to be /dev/ttyS1) Working RADIUS server accessible from the dialin server.
Configure a Windows RADIUS server:
For NT4, install "Internet Connection Services" for RAS from the Option Pack CD. Be sure "Internet Authentication Services" is selected. You will also need to install IIS, if it is not already installed. If you wish to authenticate users in an NT domain, the server must be a member of the domain, a PDC or BDC. By default IAS uses ports 1645 and 1646 for RADIUS. You will need to change this to match /etc/services on your dialin server. The Option Pack version of IAS ignores dialin permission settings - all valid users are authenticated. SP5 or later corrects this problem.
For Windows 2000 server, install Internet Authentication Service from the Windows 2000 CD. If you wish to authenticate users in an NT domain, the server must be a member of the domain, a PDC or BDC.
On the client list, add your dialin server IP and a 'shared_secret'.
Configure your dialin server: Install the latest mgetty RPM from ftp://updates.redhat.com/8.0/... (tested with mgetty-1.1.28-9) Install the latest pam RPM from ftp://updates.redhat.com/8.0/... (tested with pam-0.75-46.8.0)
Edit /etc/inittab to tell init to start the mgetty service(s). Add one line per modem. Modify "ttyS1" for your modem. The first two characters must be a unique identifier for the inittab entry and are not otherwise relevant. "2345" signifies the runlevels for which mgetty is to be started. "respawn" means that inittab will continually verify mgetty is running and will attempt to restart it if not.
S1:2345:respawn:/sbin/mgetty ttyS1 S2:2345:respawn:/sbin/mgetty ttyS2 etc..
Install the ppp RPM from the RedHat CD's and/or check for an updated version at ftp://updates.redhat.com/8.0/... (tested with ppp-2.4.1-7)
Edit /etc/ppp/options to include the following: auth -chap +pap login modem crtscts debug proxyarp lock ms-dns 172.16.yy.zz
Replace 172.16.yy.zz with the adderss of the DNS server for your dialup clients to use.
Create files in /etc/ppp for each modem named "options.ttySx". Each options file should contain one line: hostIP:clientIP
Where hostIP is the network interface on the dialin server and clientIP is the IP to be assigned to the dialin cleint.
Uncomment or add the following lines as required in /etc/mgetty+sendfax/login.conf /AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug * - - /bin/login @
To force ppp to use RADIUS, edit /etc/ppp/pap-secrets to look like this: # client server secret IP addresses * * "" *
Install the current pam_radius_auth tarball from ftp://ftp.freeradius.org/pub/radius/ (I used ver. 1.3.15) tar xvf pam_radius-x.xx.xx cd pam_radius-x.xx.xx make (you can ignore warnings about extra tokens) cp pam_radius_auth.so /lib/security
If it doesn't already exist, create /etc/raddb cp pam_radius_auth.conf /etc/raddb/server chmod 600 /etc/raddb/server
Edit /etc/raddb/server to look like: # server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 172.16.xx.yy your-radius-server-shared_secret
Replace 172.16.xx.yy with the adderss of your RADIUS server. The timeout field can be left blank. Be sure to leave the line containing 127.0.0.1 alone.
Edit your PAM configuration to use RADIUS for ppp. Add one line to /etc/pam.d/ppp so the file looks like this:
#%PAM-1.0 auth required pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
Verify /etc/services contains the following:
radius 1812/tcp # Radius radius 1812/udp # Radius radius-acct 1813/tcp radacct # Radius Accounting radius-acct 1813/udp radacct # Radius Accounting
Enable proxy arp and IP forwarding at the kernel level. You can add these lines to your /etc/rc.d/rc.local file to make this happen at boot:
echo 1 >> /proc/sys/net/ipv4/ip_forward echo 1 >> /proc/sys/net/ipv4/conf/all/proxy_arp
Finally, you must create a user account on the dialin server for each dialin user. You do not need to set passwords or home directories, but the accounts must exist for the user to authenticate via RADIUS.
More information:
http://freeradius.org/pam_radius_auth/ http://www.tldp.org/HOWTO/ISP-Setup-RedHat-HOWTO.html http://www.tldp.org/HOWTO/PPP-HOWTO/index.html http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/man8/pppd.8.html&srch=ppp
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
