PPTP over FreeRadius with mOTP (multiotp) Authentication

FreeRadius Server Environment & information

Linux OS: Gentoo

Radius Server: FreeRadius 2.2.5

mOTP radius module: multiOTP 4.2.4.2

PHP version: 5.3.28

LAN IP: 192.168.1.4/24

VPN Router IP information

Model: Vigor2860

WAN2 IP: 1.101.102.1

LAN IP: 192.168.1.1/24

A. Set up RADIUS Server on Router

  1. Go to Applications >> RADIUS, click OK, and reboot the router.

    a-1

      1. is enabled.
      2. Server IP Addressport,Shared Secret.

B. Set up Smart VPN Client File

  1. Go to Smart VPN, and click Insert.

b-1

  1. Set up VPN Profile and click OK.

b-2-a

      1. Profile Name.
      2. VPN ServerUser Name.
      3. mOTP, andmOTP Settings.

b-2-b

        1. SmartVPN Build-in OTP Generator.
        2. Generate to automatically generate secret as below.
          Note: If you already have the Secret generated in other ways, please simply enter your Secret.

b-2-c

        1. Store.

b-2-d

  1. Configure PPTP and click OK.

b-3

      1. Authentication Method,Require encryption for MPPE Encryption.

C. Set up RADIUS Server File on Linux

  1. Install Freeradius on Gentoo Linux.

c-1

    1. Enter “sudo -s” to change user to root.

    2. Enter “emerge -qv freeradius” to run emerge and install freeradius.

  1. multiOTP installation:

c-2-a

    1. Download multiOTP module from   http://www.multiotp.net

    2. Enter “mkdir /usr/local/multiotp” to create a multiotp folder, and “
      unzip multiotp.zip -d /usr/local/multiotp/” to unzip multiotp.zip

    3. Enter “chmod +x /usr/local/multiotp/multiotp.php” to change multiotp.php to execute.

c-2-b

    1. Enter “/usr/local/multiotp/multiotp.php -config timezone=Asia/Taipei” to set multiOTP timezone (Here we useAsia/Taipei).

    2. Enter “/usr/local/multiotp/multiotp.php -create user1 mOTP 5dc0424b2e7922f3472a0f8429a80b12 1234” to create a multiOTP user, and the command is “multiotp.php -create user algo seed pin”.

      Note: Secret should be the same with that using on Smart VPN Client.

  1. FreeRadius Config:

c-3-a

    1. Enter “cd /etc/raddb” to change path to freeradius config folder.

    2. Enter “cp modules/mschap modules/multiotpmschap” to copy mschap from modules folder to multiotpmschap

    3. Enter “vi modules/multiotpmschap” to modify multiotpmschap config file.

      1. Modify “mschap {“ to “mschap multiotpmschap {

c-3-b

        1. ntlm_auth = "/usr/local/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

c-3-c

  1. Enter “vi modules/multiotp” to add multiotp module file.

c-4-a

    1. Add multiotp module file.

c-4-b

               exec multiotp {

                       wait = yes

                       input_pairs = request

                       output_pairs = reply

                       program = "/usr/local/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

                       shell_escape = yes

               }

  1. Modify freeradius default settings.

c-5-a

    1. Enter “vi sites-enabled/default

    2. Add “multiotp” and “multiotpmschap” at authorize sections.

c-5-b

    1. Add Auth-Type at authenticate sections.

c-5-c

               Auth-Type multiotp {
                          multiotp
               }
               Auth-Type multiotpmschap {
                          multiotpmschap
               }

  1. Enter “vi policy.conf

c-6-a

    1. Add policy at policy sections.

c-6-b

               policy {

               multiotp_prefix = ''
               multiotp.authorize {
                            if (!control:Auth-Type == 'MS-CHAP') {
                                        update control {
                                                    Auth-Type := multiotpmschap
                                        }
                            }

               }
               else {
                            if (!control:Auth-Type) {
                                       update control {
                                                   Auth-Type := multiotp
                                        }
                            }
               }

  1. Enter “vi client.conf” to add Router LAN IP and secret.

c-7-a

    1. Add information.

c-7-b

               client 192.168.1.1 {

                       netmask = 32

                       secret = multiotpsecret

             }

  1. Enter “/etc/init.d/radiusd start” to start RADIUS Server.

c-8

  1. Use SmartVPN to dial PPTP VPN.

c-9

Note:

  • Please make sure the time on RADIUS Server and VPN client are consistent.

  • You can use the Android DroidOTP app to generate a token (supports 32 hex-digit secret).

NEWSLETTER

Nom (*)
Please let us know your name.
Email (*)
Please let us know your email address.