все как написано здесь зделал... не помогло (http://www.abills.net.ua/wiki/doku.php?id=abills:docs:mschap...)
Вот конфиги радиуса и мпд...MPD -
#################################################################
#
# MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.41 2007/10/05 17:42:52 amotin Exp $
#
#################################################################
startup:
# configure the console
# enable TCP-Wrapper (hosts_access(5)) to block unfriendly clients
set global enable tcp-wrapper
set console self 10.0.16.10 5005
set console user pahan admin
#set console user foo1 bar1
set console open
# configure the web server
#set web self 0.0.0.0 5006
#set web user foo bar
#set web open
####################################################################
#Netflow options
# set netflow peer %MPD_NETFLOW_IP% %MPD_NETFLOW_PORT%
# set netflow self %MPD_NETFLOW_SOURCE_IP% %MPD_NETFLOW_SOURCE_PORT%
# set netflow timeouts 15 15
# set netflow hook 9000
# #set netflow node netflow
#####################################################################
#
# Default configuration is "dialup"
default:
load pptp_server
dialup:
#
# Example of a simple PPP dialup account using modem device.
# This will connect whenever there is outgoing demand (DoD), and hangup
# after a 15 minute idle time. It also connects and disconnects
# when signals SIGUSR1 and SIGUSR2 are received, respectively.
#
# Note the "set iface addrs ..." is needed because we're doing
# dial-on-demand and therefore can't wait for the peer to assign
# us IP addresses for the interface. These can be completely phoney
# IP addresses.
#
# We also enable the idle-script "Ringback", which means if we're
# not connected and we detect an incoming call, we don't answer it
# BUT we do initiate a call to the ISP to get connected. This is
# nice to connect yourself when you're away from home, etc.
# Create static modem link named L1
# create link static L1 modem
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeer
set modem idle-script Ringback
# We expect to be authenticated by peer using any protocol.
set link disable chap pap
set link accept chap pap
# Configure the account name. Password will be taken from mpd.secret.
set auth authname MyLogin
# To make Ringback work we should specify how to handle "incoming"
# calls originated by it.
set link action bundle B1
set link enable incoming
# Create static bundle named B1
create bundle static B1
# Enumerate links participating in DoD
set bundle links L1
# Configure the interface: dial on demand, default route, idle timeout.
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface enable on-demand
set iface idle 900
# "Open" interface (but don't actually dial until there's demand)
open iface
dialin:
#
# This setup answers incoming calls from a remote peer,
# but is not intended for dialing out.
#
# The local IP address is 1.1.1.1 and the remote is 2.2.2.2.
#
# create bundle static B1
set iface idle 900
set ipcp ranges 1.1.1.1/32 2.2.2.2/32
create link static L1 modem
# Set bundle to use
set link action bundle B1
# Authenticate peer with chap-md5
set link no chap pap eap
set link enable chap-md5
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem idle-script AnswerCall
# Permit incoming calls using this link
set link enable incoming
multi_dialup:
#
# Example of a multi-link dialup setup, using links "usr1" and "usr2"
# Similar to the first example, but uses two links together, and
# does not do dial-on-demand.
#
# Create clonable bundle template
create bundle template B
set iface route default
set iface idle 900
# Create links and open them
create link static L1 modem
load common
set modem device /dev/cuad0
open
create link static L2 modem
load common
set modem device /dev/cuad1
open
common:
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Allow peer to authenticate us
set link disable chap pap
set link accept chap pap
set auth authname MyLogin
# Set inifinite redial attempts
set link max-redial 0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeer
sync:
#
# Dedicated synchronous line using netgraph link.
# The remote router is connected to the 192.168.2.0/24 subnet.
# No authentication required.
#
create bundle static B1
set iface route 192.168.2.0/24
set ipcp ranges 192.168.1.153/32 192.168.2.1/24
create link static L1 ng
set link action bundle B1
set link max-redial 0
set link no chap pap
set ng node sr0:
set ng hook rawdata
open
pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote. From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
#
# Define dynamic IP address pool.
set ippool add pool1 10.1.0.1 10.1.255.255
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set iface up-script "/usr/abills/libexec/linkupdown mpd up"
set iface down-script "/usr/abills/libexec/linkupdown mpd down"
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 10.1.100.1/32 ippool pool1
set ipcp dns 10.0.31.1
# set ipcp nbns 192.168.1.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 10.0.16.10
# Allow to accept calls
set link enable incoming
pptp_vpn:
#
# Mpd using PPTP for LAN to LAN VPN, always connected.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and another
# remote private Office LAN numbered 192.168.2.0/24, and you wanted to route
# between these two private networks using a PPTP VPN over the Internet.
#
# You run mpd on dual-homed machines on either end. Say the local machine
# has internal address 192.168.1.1 and externally visible address 1.2.3.4,
# and the remote machine has internal address 192.168.2.1 and externally
# visible address 2.3.4.5.
#
# Note: mpd does not support the peer's "inside" IP address being the same
# as its "outside" IP address. In the above example, this means that
# 192.168.2.1 != 2.3.4.5.
#
# The "inside" IP addresses are configured by "set ipcp ranges ..."
# (in mpd.conf) while the "outside" IP addreses are configured by
# "set pptp self ..." and "set pptp peer ...".
#
create bundle static B1
set ipcp ranges 192.168.1.1/32 192.168.2.1/32
set iface route 192.168.2.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
create link static L1 pptp
set link action bundle B1
# Enable both sides to authenticat each other with CHAP
set link no pap
set link yes chap
set auth authname "VpnLogin"
set auth password "VpnPassword"
set link mtu 1460
set link keep-alive 10 75
set link max-redial 0
# Configure PPTP and open link
set pptp self 1.2.3.4
set pptp peer 2.3.4.5
set link enable incoming
open
pptp_client:
#
# PPTP client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
create link static L1 pptp
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 20 75
set pptp peer 1.2.3.4
set pptp disable windowing
open
pppoe_server:
#
# Multihomed multilink PPPoE server
#
# Create clonable bundle template
create bundle template B
# Set IP addresses. Peer address will be later replaced by RADIUS.
set ipcp ranges 10.1.16.0/32 10.1.16.400/32
# Create link template with common info
create link template common pppoe
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Enable peer authentication
set link disable chap pap eap
set link enable pap
load radius
set pppoe service "superisp"
# Create templates for ifaces to listen using 'common' template and let them go
create link template fxp0 common
set pppoe iface fxp0
set link enable incoming
create link template fxp1 common
set pppoe iface fxp1
set link enable incoming
pppoe_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
create link static L1 pppoe
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 10 60
set pppoe iface fxp0
set pppoe service ""
open
radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
set radius config /etc/radiusd.conf
# or specify the server directly here
set radius server 127.0.0.1 radsecret 1812 1813
set radius retries 3
set radius timeout 10
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
simple_lac:
#
# This is a simple L2TP access concentrator which receives PPPoE calls
# and forwards them to LNS on 1.2.3.4
#
create link template L1 pppoe
set pppoe iface fxp0
set link action forward L2
set link enable incoming
create link template L2 l2tp
set l2tp peer 1.2.3.4
complete_lac:
#
# This is more complicated L2TP access concentrator which receives PPPoE calls
# and if peer auth name includes @corp1.net forwards them to LNS on 1.2.3.4,
# if peer auth name includes @corp2.net forwards them to LNS on 2.3.4.5
# all other connections processes itself localy using internal auth and
# assigning dynamic IP from specified pool.
#
set ippool add pool1 192.168.1.50 192.168.1.99
create link template L1 pppoe
set pppoe iface fxp0
# We must ask authentication to get peer login
set link no pap chap eap
set link enable pap
set link action forward L2 "@corp1\\.net$"
set link action forward L3 "@corp2\\.net$"
set link action bundle B1
set link enable incoming
create link template L2 l2tp
set l2tp peer 1.2.3.4
set l2tp secret corp1secret
create link template L3 l2tp
set l2tp peer 2.3.4.5
set l2tp secret corp2secret
create bundle template B1
set ipcp ranges 192.168.1.1/32 ippool pool1
Freeradius -
# FreeRADIUS Version 1.1.5, for host i386-portbld-freebsd6.2
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 2048
bind_address = *
port = 0
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
#$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
modules {
exec pre_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl pre_auth"
input_pairs = request
output_pairs = config
}
exec post_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl post_auth"
input_pairs = request
output_pairs = config
}
perl {
module = /usr/abills/libexec/rlm_perl.pl
func_authorize = authorize
func_accounting = accounting
func_authenticate = authenticate
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
#$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}
# files {
# usersfile = ${confdir}/users
# acctusersfile = ${confdir}/acct_users
# preproxy_usersfile = ${confdir}/preproxy_users
# compat = no
# }
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
#suppress {
# User-Password
#}
}
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# attr_filter {
# attrsfile = ${confdir}/attrs
# }
expr {
}
exec {
wait = yes
input_pairs = request
}
}
instantiate {
exec
expr
}
authorize {
preprocess
pre_auth
mschap
# files
#eap
perl
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# don't use simultaneously 'perl' and files
perl
#eap
}
preacct {
preprocess
acct_unique
}
accounting {
# don't use simultaneously 'perl' and files
perl
#detail
}
session {
# radutmp
# sql
}
post-auth {
Post-Auth-Type REJECT {
post_auth
}
}