No I'm not shouting, they're just acronyms :)

I wasted a lot of time last night trying to configure freeradius on Mac OS X (which is the machine running my PostgreSQL installation). So now I've got freeradius "running" on a Linux box.

Tonight I'll get on to the patching and compiling of l2tpd, and setting up the LAC/LNS connection. That's the easy part. I may even have time to write up about setting pppd and whatever to connect.

Then tomorrow night I'll get on to the meat of the HOWTO which is

If there's a secret L2TPD HOWTO somewhere that I don't know of, let me know :) Otherwise I'll end up writing one before the L2TPD+RADIUS howto is finished.


Starting Blocks:

Note that when one talks about "L2TP with RADIUS", one is really talking about L2TP, 
with PPP authentication via RADIUS. You never use L2TP all by itself - it's designed 
to connect two PPP end points ("client" and "server") over an intermediate routable 

So what we'll actually be looking at here is how to configure pppd to use RADIUS 
authentication, with L2TPd invoking the RADIUS-capable pppd.

I collected
   * TACACS and RADIUS plugin for pppd from
   * MPPE + MSCHAP2 patches from
   * Original pppd 2.4.1 from
   * freeradius 0.9.3 from
   * PostgreSQL 7.4 was already installed on my Mac OS X machine
   * RFC 2661 (L2TP)
   * RFC 1661 (PPP)
Note we are using 2.4.1 of pppd, not 2.4.2. This is because the plugins interface 
changed between the two versions (so perhaps it should have been 2.4.1 vs 2.5.0? but 
what's done is done).

It shouldn't matter which machine the PostgreSQL server is installed on - let's see 
how wrong I am.

[EMAIL PROTECTED]:/home/grail/src/l2tpd-radius-howto]
22:20 [0|26]% ls -l
total 2468
drwxr-xr-x   15 grail    staff        1024 Nov 21 07:16 freeradius-0.9.3
-rw-r--r--    1 grail    staff     1819922 Feb 11 22:13 freeradius-0.9.3.tar.gz
drwxr-xr-x   16 grail    staff        1024 Mar 25  2001 ppp-2.4.1
-rw-r--r--    1 grail    staff         495 Feb 11 22:13 ppp-2.4.1-MSCHAPv2-fix.patch
-rw-r--r--    1 grail    staff      136956 Feb 11 22:19 
-rw-r--r--    1 grail    staff      536746 Feb 11 22:11 ppp-2.4.1.tar.gz
-rw-r--r--    1 grail    staff        6638 Feb 11 22:12 pppd-2.4.1-plugin-hooks.patch
-rw-r--r--    1 grail    staff        7901 Feb 11 22:12 

cd ppp-2.4.1
patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
cd pppd
patch -p1 < ../../pppd-mppe-2.4.1-plugin-hooks.patch
What the...?  I got heaps of rejected patch lines.

Back to basics. Just unpack the 2.4.1 and try to compile it cleanly. That worked fine 
for me. Now apply the MSCHAP patch. Nope - that doesn't work. The mppe patch 
introduces a symbol, "CHAP_MICROSOFT_V2" which it uses but never defines.  Will have 
to find where this comes from. If anyone can help me compile pppd with the mppe patch 
properly, please let me know, and I'll include the details in this HOWTO.

So let's just go for the RADIUS/TACACS patch... which works fine, apparently.

Configure your RADIUS server
Magic happens here. Find out how to configure your RADIUS server elsewhere. I tried 
freeradius under Mac OS X and got the problem described here: If 
anyone can figure that one out, let me know!

After that botched attempt, I compiled freeradius under Debian GNU/Linux v3.0 instead. 
In retrospect, I probably would have been better off getting a backport. Nevermind.

So now, I have a pppd that can do RADIUS/TACACS, and I have a RADIUS server.

** I'm up to here, 2004-02-18 - AMS **
Next step is patching (see below) and compiling L2TPD. I'll stick with Linux for now - 
at a later date I might explore compiling L2TPD on Mac OS X. I don't think it's 
particularly portable though.

Then configuring L2TPD as LAC and LNS on different machines and watching the control 
connection being set up and torn down (with copious reference to the RFC). This 
probably belongs in a L2TP HOWTO, not a L2TP-RADIUS HOWTO.

Then configuring L2TPD to invoke PPPD for a trivial connection (with authentication 
through chap-secrets). I'll have to remember the (trivial) L2TPD patch to pass on the 
calling number and called number for the RADIUS plugin to pick up.

Then configure PPPD to actually use RADIUS for AAA and use L2TPD to invoke PPPD for a 
trivial connection with authentication through RADIUS (chap-secrets empty).

Then end-to-end testing with L2TPD to ensure that RADIUS AAA records are being 
properly recorded.

Then an example with multiple PPP interfaces per LAC, and multiple LACs. Perhaps throw 
in some route munging too, and definitely cover the perennial PMTU problem. Though 
that really belongs in a L2TP HOWTO, not in the L2TP-RADIUS HOWTO.

Setting up freeradius to handle an 802.1x network:

Reply via email to