[pptp-server] Managing multiple authentication domains

John Van Ostrand john at netdirect.ca
Thu May 4 08:03:10 CDT 2000 

It sounds like what you need is not authentication domains but rather
different PPTP configurations.

This can be done by binding pptpd to an IP address. Here's how:

1. Create aliases for your your main network interface and assign them IP
addresses like 10.1.1.1 (company a), 10.1.2.1 (company B), and 10.1.3.1
(company c.)
2. Then create a separate pptpd.conf file for each subnet. List different
local and remote IPs and tell each pptpd to listen to a different address.
Also make sure that each file specifies a different PID file. For example:

	/etc/company-a.conf
	localip 10.1.1.1
	remoteip 10.1.1.2-16
	listen 10.1.1.1
	pidfile /var/run/pptp.a
	
	/etc/company-b.conf
	localip 10.1.2.1
	remoteip 10.1.2.2-16
	listen 10.1.2.1
	pidfile /var/run/pptp.b

	/etc/company-c.conf
	localip 10.1.3.1
	remoteip 10.1.3.2-16
	listen 10.1.3.1
	pidfile /var/run/pptp.c

Then use the -c option of pptp to specify the specific conf file:

	pptpd -c /etc/company-a.conf
	pptpd -c /etc/company-b.conf
	pptpd -c /etc/company-c.conf

You'll have three pptpd's running. Tell company a to connect to 10.1.1.1 for
VPN, company b shoudl connect to 10.1.2.1, etc.

This solution uses the same chap-secrets file but this is not a problem
either. You can use the NT domain name to differentiate users. Here's an
example chap-secrets file:


	/etc/ppp/chap-secrets
	SALES\\jsmith	*	"mysecret"	*
	SALES\\jdoe		*	"hersecret"	*
	MKTG\\jsmith	*	"hissecret"	*

Alternatively you could hack pppd to accept a parameter that changes
specific the chap secrets file and include this in different ppp/options
files.


> -----Original Message-----
> From: Nate Carlson [mailto:natecars at real-time.com]
> Sent: Wednesday, May 03, 2000 11:36 PM
> To: Mike Ireton
> Cc: pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Managing multiple authentication domains
> 
> 
> On Wed, 3 May 2000, Mike Ireton wrote:
> 
> > Howdy,
> > 	So I would like to know how I would solve the following problem
> > with poptop/pppd:
> > 
> > 	A router serves three different organizations - we'll call them
> > companya, companyb, and companyc. These are all assigned IP 
> addresses such
> > as 10.1.1/24, 10.1.2/24 and 10.1.3/24. 
> > 
> > 	An employee of companya vpn's in. I want her to be 
> assigned an ip
> > address within companya's address range (10.1.1/24). Then 
> employee's of
> > companyb and companyc vpn in as well, and I want them to be assigned
> > addresses within their respective ranges as well.
> > 
> > 	It appears to me that I cannot do this. Instead, I need 
> to choose
> > a range of IP addresses ahead of time and cannot base the 
> number chosen
> > upon the chap credentials used to authenticate with.
> > 
> > 	Any ideas?
> 
> I haven't personally tried this, but could you specify all 
> the ranges in
> pptpd.conf and then assign the ip using the fourth field of the
> chap-secrets file? I know you can specify static ip's within 
> the one range
> you have using that field.. I've just never tried multiple ranges.
> 
> -- 
> Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
> http://www.real-time.com                | Fax   : (952)943-8500
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>

More information about the pptp-server mailing list