L2TP/IPsec server - reserve an IP address to a certain user in AD

Question

I have set up a rather simple L2TP/IPsec server with xl2tpd, which has a pool of IP addresses in xl2tpd.conf configured for VPN clients. I now need to assign a certain IP address to a VPN client if that client uses a certain username with correct password. The problem is, pppd is configured to run an auth helper to authenticate users to an Active Directory domain, this way I cannot user chap.secrets file to specify an IP address to a connection that's established with a given user name. More, pppd receives suggested (?) IP addresses from xl2tpd's pool, thus an address is allocated before authentication, and it also seems to ignore the ipcp-accept-remote directive in options file that technically allows L2TP client to specify their desired IP address, or I'd just set a static IP address in the client's settings. Client in Windows 7.

How can I make pppd assign a certain IP address to a connection after it has been authenticated against Windows AD?

Edit: it looks like that with a configured NTLM auth helper pppd does not ever use chap-secrets file, so anything I enter there is just not used. So, is it plain impossible?

Answer 1

Nothing is impossible, in short, just needs more or other tools. I have managed to set up a RADIUS server, used freeradius to not interfere with Windows-based stuff, but probably MS-RADIUS server with its msRADIUSFramed-IP-Address attribute would also do. Configured a pool for "regular" users, assigned it via user file DEFAULT setting, then set up both types of authentication (needs more testing, anyway ntlm_auth over mschap works) and then went for username matching to assign ip addresses directly in the freeradius config. Dumb but working.

A set of hacks: First, I failed to properly populate Stripped-User-Name attribute, so went with mschap:User-Name to be supplied to ntlm_auth, otherwise challenge/resonse is formed against full name instead of shortened name, and ntlm_auth promptly fails as winbind is not expecting full names. Maaaybe I should make it work the right way, but winbindd is prone to fail when UPNs start calling, and sssd backend does not use NTLM to auth mschap-sequence. Second, I moved files before mschap in authorize sequence, in order to have both types of users, local-stored and domain-stored. Third, I first tested everything with PAP, and when transitioning to mschap I found out mschap reports ntlm_auth to not be able to read vs winbindd. I wasn't able to make radiusd properly launch ntlm_auth as a restricted user (out of time) and made radiusd start as root instead. (Please do this the proper way when you will be making a production RADIUS server authenticating against domain!) But, RADIUS only listens on 127.0.0.1, so security is expected to not get worse.