OK...per experimentation, it would appear that L2TP works with Local Users, but PPTP does not. However, the PPTP VPN process should be able to authenticate against the built-in RADIUS server, which does work with Local Users. The question is, how do I make this happen? Google is only vaguely my friend here; I've managed to get the RADIUS service configured:
# dseditgroup -o create -n . -r RADIUS com.apple.access_radius
# radiusconfig -setconfig auth yes
# radiusconfig -setconfig auth_badpass yes
# radiusconfig -setconfig auth_goodpass yes
# radiusconfig -installcerts /etc/certificates/<server_cert_string>.key.pem /etc/certificates/<server_cert_string>.cert.pem /etc/certificates/<server_cert_string>.chain.pem
# radiusconfig -setcertpassword
Enter Certificate Passphrase: Apple:UseCertAdmin
# radiusconfig -start
After adding a user "testuser" to the com.apple.access_radius group, I can then run a successful test using the built-in configuration for localhost:
# time echo "User-Name=testuser,User-password=testpass,Framed-Protocol=PPP " | radclient -x -r 1 -t 10 localhost:1812 auth testing123
Sending Access-Request of id 106 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=106, length=32
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
real 0m6.658s
user 0m0.018s
sys 0m0.009s
One concerning issue is the fact that it takes almost 7 seconds for the RADIUS server to respond, but at least it does work.
Now I need to configure PPTP to use the RADIUS server. I create a text file "vpnrad" with the following contents:
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "testing123"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "127.0.0.1:1812"
Then I use "serveradmin settings < vpnrad" to pull those settings into the VPN config. That works. But the PPTP service doesn't appear to be hitting the RADIUS service at all. I've tried the "Address" key both with and without the port (1812) tagged onto it, same behavior either way. The RADIUS log shows no hits, and the VPN log shows:
2015-06-01 14:15:40 CDT Incoming call... Address given to client = 10.0.77.95
Mon Jun 1 14:15:41 2015 : Directory Services Authentication plugin initialized
Mon Jun 1 14:15:41 2015 : Directory Services Authorization plugin initialized
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : PPTP incoming call in progress from '50.24.10.202'...
Mon Jun 1 14:15:41 2015 : PPTP connection established.
Mon Jun 1 14:15:41 2015 : using link 1
Mon Jun 1 14:15:41 2015 : Using interface ppp1
Mon Jun 1 14:15:41 2015 : Connect: ppp1 <--> socket[34:17]
Mon Jun 1 14:15:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:41 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:47 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:50 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:53 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:56 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:59 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:02 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:05 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:08 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:11 2015 : LCP: timeout sending Config-Requests
Mon Jun 1 14:16:11 2015 : Connection terminated.
Mon Jun 1 14:16:11 2015 : PPTP disconnecting...
Mon Jun 1 14:16:11 2015 : PPTP disconnected
2015-06-01 14:16:11 CDT --> Client with address = 10.0.77.95 has hungup