[pptp-server] Managing multiple authentication domains
John Van Ostrand
john at netdirect.ca
Thu May 4 08:03:10 CDT 2000
It sounds like what you need is not authentication domains but rather
different PPTP configurations.
This can be done by binding pptpd to an IP address. Here's how:
1. Create aliases for your your main network interface and assign them IP
addresses like 10.1.1.1 (company a), 10.1.2.1 (company B), and 10.1.3.1
(company c.)
2. Then create a separate pptpd.conf file for each subnet. List different
local and remote IPs and tell each pptpd to listen to a different address.
Also make sure that each file specifies a different PID file. For example:
/etc/company-a.conf
localip 10.1.1.1
remoteip 10.1.1.2-16
listen 10.1.1.1
pidfile /var/run/pptp.a
/etc/company-b.conf
localip 10.1.2.1
remoteip 10.1.2.2-16
listen 10.1.2.1
pidfile /var/run/pptp.b
/etc/company-c.conf
localip 10.1.3.1
remoteip 10.1.3.2-16
listen 10.1.3.1
pidfile /var/run/pptp.c
Then use the -c option of pptp to specify the specific conf file:
pptpd -c /etc/company-a.conf
pptpd -c /etc/company-b.conf
pptpd -c /etc/company-c.conf
You'll have three pptpd's running. Tell company a to connect to 10.1.1.1 for
VPN, company b shoudl connect to 10.1.2.1, etc.
This solution uses the same chap-secrets file but this is not a problem
either. You can use the NT domain name to differentiate users. Here's an
example chap-secrets file:
/etc/ppp/chap-secrets
SALES\\jsmith * "mysecret" *
SALES\\jdoe * "hersecret" *
MKTG\\jsmith * "hissecret" *
Alternatively you could hack pppd to accept a parameter that changes
specific the chap secrets file and include this in different ppp/options
files.
> -----Original Message-----
> From: Nate Carlson [mailto:natecars at real-time.com]
> Sent: Wednesday, May 03, 2000 11:36 PM
> To: Mike Ireton
> Cc: pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Managing multiple authentication domains
>
>
> On Wed, 3 May 2000, Mike Ireton wrote:
>
> > Howdy,
> > So I would like to know how I would solve the following problem
> > with poptop/pppd:
> >
> > A router serves three different organizations - we'll call them
> > companya, companyb, and companyc. These are all assigned IP
> addresses such
> > as 10.1.1/24, 10.1.2/24 and 10.1.3/24.
> >
> > An employee of companya vpn's in. I want her to be
> assigned an ip
> > address within companya's address range (10.1.1/24). Then
> employee's of
> > companyb and companyc vpn in as well, and I want them to be assigned
> > addresses within their respective ranges as well.
> >
> > It appears to me that I cannot do this. Instead, I need
> to choose
> > a range of IP addresses ahead of time and cannot base the
> number chosen
> > upon the chap credentials used to authenticate with.
> >
> > Any ideas?
>
> I haven't personally tried this, but could you specify all
> the ranges in
> pptpd.conf and then assign the ip using the fourth field of the
> chap-secrets file? I know you can specify static ip's within
> the one range
> you have using that field.. I've just never tried multiple ranges.
>
> --
> Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700
> http://www.real-time.com | Fax : (952)943-8500
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>
More information about the pptp-server
mailing list