RE: [Poptop-server] Restrict user access

RE: [Poptop-server] Restrict user access

[Sascha Kiefer]

Thanks for the hint.
For what i would like to do i probably will go for radius.
I know thats not the right list, but maybe you (or somebody else) can help
me out:
- installing radius server on the poptop server? Okay/Not okay?
- accessing one radius server from different poptop servers - which means
havin one authentication server for different vpn/physical servers? 
- ensure that only my vpn servers can access the radius server? Probably ip
restrictions?
Any source that i might have to read?

Regards,
Sascha Kiefer


-----Original Message-----
From: james.cameron@hp.com [mailto:james.cameron@hp.com] 
Sent: Dienstag, 6. Mai 2008 10:42
To: Sascha Kiefer
Cc: poptop-server@lists.sourceforge.net
Subject: Re: [Poptop-server] Restrict user access


This would be a pppd configuration issue, not pptpd.  I've heard of various
ways to implement it ... a RADIUS server, or pppd ip-up.d scripting, or pppd
authentication plugins.

You would have to assume that an originating IP address identified a
workstation (which isn't always true).

But yes, certainly *possible*.  Just lacking in implementation
documentation.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

RE: [Poptop-server] Restrict user access

[Sascha Kiefer]

Ok.
I setup a radius server with mysql on a different server.
But i think i'm far from having everything playing together.

I found some howto on the web:
http://poptop.sourceforge.net/dox/radius_mysql.html
So: the client will get the ip from the radius server??? Not from the server
that has poptop running?



-----Original Message-----
From: Sascha Kiefer [mailto:sk@intertivity.com] 
Sent: Dienstag, 6. Mai 2008 11:26
To: 'james.cameron@hp.com'
Cc: 'poptop-server@lists.sourceforge.net'; 'linux-ppp@vger.kernel.org'
Subject: RE: [Poptop-server] Restrict user access


Thanks for the hint.
For what i would like to do i probably will go for radius.
I know thats not the right list, but maybe you (or somebody else) can help
me out:
- installing radius server on the poptop server? Okay/Not okay?
- accessing one radius server from different poptop servers - which means
havin one authentication server for different vpn/physical servers? 
- ensure that only my vpn servers can access the radius server? Probably ip
restrictions? Any source that i might have to read?

Regards,
Sascha Kiefer


-----Original Message-----
From: james.cameron@hp.com [mailto:james.cameron@hp.com] 
Sent: Dienstag, 6. Mai 2008 10:42
To: Sascha Kiefer
Cc: poptop-server@lists.sourceforge.net
Subject: Re: [Poptop-server] Restrict user access


This would be a pppd configuration issue, not pptpd.  I've heard of various
ways to implement it ... a RADIUS server, or pppd ip-up.d scripting, or pppd
authentication plugins.

You would have to assume that an originating IP address identified a
workstation (which isn't always true).

But yes, certainly *possible*.  Just lacking in implementation
documentation.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

Re: [Poptop-server] Restrict user access

[James Cameron]

On Wed, May 07, 2008 at 03:46:38PM +0400, Sascha Kiefer wrote:
> I found some howto on the web:
> http://poptop.sourceforge.net/dox/radius_mysql.html

Edits welcome.  It is getting old.

> So: the client will get the ip from the radius server??? Not from the server
> that has poptop running?

The IP address is allocated by the RADIUS server, passed in a message to
the pppd RADIUS plugin which was selected by pptpd, and pppd then passes
it to the client within IPCP.  The client perceives it has got it from
the server running pptpd.  But you know that it has come from the RADIUS
server.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

Re: [Poptop-server] Restrict user access

[Sascha Kiefer]

James Cameron wrote:
> On Wed, May 07, 2008 at 03:46:38PM +0400, Sascha Kiefer wrote:
>   
> The IP address is allocated by the RADIUS server, passed in a message to
> the pppd RADIUS plugin which was selected by pptpd, and pppd then passes
> it to the client within IPCP.  The client perceives it has got it from
> the server running pptpd.  But you know that it has come from the RADIUS
> server.
>
>   
thanks
. i do not do it this way. i let the pptpd server decide whar it address 
to use.
somehow the pptpd server tells that the radius server. which is fine for me.
can this lead to any problems?

Re: [Poptop-server] Restrict user access

[Sascha Kiefer]

James Cameron wrote:
> On Wed, May 07, 2008 at 03:46:38PM +0400, Sascha Kiefer wrote:
>   
>> I found some howto on the web:
>> http://poptop.sourceforge.net/dox/radius_mysql.html
>>     
>
> Edits welcome.  It is getting old.
>   

i found a nice one: http://wiki.freeradius.org/PopTop

Re: [Poptop-server] Restrict user access

[James Cameron]

On Thu, May 08, 2008 at 09:27:24AM +0400, Sascha Kiefer wrote:
> i do not do it this way. i let the pptpd server decide whar it address
> to use. somehow the pptpd server tells that the radius server. which
> is fine for me.
> can this lead to any problems?

I stand corrected.  Nice to know it can be done that way too.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/