Re-2: Authentication problems

Re-2: Authentication problems

[Ludovic MARCILLY]

First of all, thank you for your answer! Now it works. In fact, i have put the
auth-pap in my config files because i think i have to put it in order to
authenticate me to the server with pap. It seems that i was wrong...

So i can't put these options in the config file on the client side? If i
understand, he server ask the client for PAP, CHAP or MS-CHAP method to
authenticate? The client doesn't choose authentication method? Is it right?

Thanks for your answer.

Ludo.

-------- Original Message --------
Subject: Re: Authentication problems (11-Sep-2006 19:43)
From:     unruh@physics.ubc.ca
To:         lmarcilly@aressi.fr

So why are you asking the server to authenticate to you using pap? 
Almost no server will do so.
Get rid of the auth-pap or +pap from your options. 
That is NOT without authentication. The  far side demands that you
authenticate to them anyway.



On Mon, 11 Sep 2006, Ludovic MARCILLY wrote:

> Hi all,
>
> I try to use linux pptp client in order to connect to a Windows 2003
> Server but without any success.
>
> When i try to connect without authentication, it seems to work. So i
> try with PAP, CHAP, MSCHAP and MSCHAPv2 but it doesn't work.

Why?

>
> Here are my logs for a test with PAP:
>
> Sep 11 11:56:18 LinuxBox pppd[1834]: sent [LCP ConfReq id=0x1 <asyncmap
> 0x0> <auth pap> <magic 0x9bb62805> <pcomp> <accomp>]

YOu ask them to authenticate to you using pap.

> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfReq id=0x0 <mru
> 1400> <auth pap> <magic 0x309a32f4> <pcomp> <accomp> <callback CBCP>
> <mrru 1614> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]> <
> 17 04 00 22>]

They ask you to authenticate to them using pap.

> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfRej id=0x0 <callback
> CBCP> <mrru 1614> < 17 04 00 22>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfAck id=0x1 <asyncmap
> 0x0> <auth pap> <magic 0x9bb62805> <pcomp> <accomp>]

They agree to authenticate to you.

> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfReq id=0x1 <mru
> 1400> <auth pap> <magic 0x309a32f4> <pcomp> <accomp> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfAck id=0x1 <mru
> 1400> <auth pap> <magic 0x309a32f4> <pcomp> <accomp> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [PAP AuthReq id=0x1
> user="vpnman" password=<hidden>]

You send your name and password.

> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [PAP AuthAck id=0x1 ""]

They say it is ok.

> Sep 11 11:56:21 LinuxBox pppd[1834]: PAP authentication succeeded
> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfReq id=0x3 <mru
> 1400> <auth pap> <magic 0x31655e15> <pcomp> <accomp> <callback CBCP>
> <mrru 1614> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]> <
> 17 04 00 22>]

They repeat their request. as if nothing had happened.

> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfReq id=0x2 <asyncmap
> 0x0> <auth pap> <magic 0x7715a449> <pcomp> <accomp>]

So do you.

> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfRej id=0x3 <callback
> CBCP> <mrru 1614> < 17 04 00 22>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfRej id=0x2 <auth
> pap>]

But this time they refuse to authenticate themselves to you with pap.

> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfReq id=0x3 <asyncmap
> 0x0> <magic 0x7715a449> <pcomp> <accomp>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfReq id=0x4 <mru
> 1400> <auth pap> <magic 0x31655e15> <pcomp> <accomp> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: sent [LCP ConfAck id=0x4 <mru
> 1400> <auth pap> <magic 0x31655e15> <pcomp> <accomp> <endpoint
> [local:21.c5.a8.4c.e7.20.49.3d.a3.30.be.d2.48.a0.d6.b3.00.00.00.00]>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: rcvd [LCP ConfAck id=0x3 <asyncmap
> 0x0> <magic 0x7715a449> <pcomp> <accomp>]
> Sep 11 11:56:21 LinuxBox pppd[1834]: peer refused to authenticate:
> terminating link

At which point you tell them to get lost and hang up.


> On the windows server logs, i can see that vpnman session is opened but
> i see "peer refused to authenticate: terminating link" in my linux
> logs.
>
> Here are my config files:
>
> /etc/ppp/peers/Tunnel1:
>
> file /var/vpn/pptp-client/options
> pty "pptp 192.168.8.239 --nolaunchpppd"
> name vpnman
> remotename VpnServer
> nomppe


> noauth
> require-pap
> refuse-chap
> refuse-mschap
> refuse-mschap-v2

These are all nonesense. Get rid of them all.

-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Re-2: Authentication problems

[Gilles Espinasse]

Selon Ludovic MARCILLY <lmarcilly@aressi.fr>:

>
> First of all, thank you for your answer! Now it works. In fact, i have put
> the
> auth-pap in my config files because i think i have to put it in order to
> authenticate me to the server with pap. It seems that i was wrong...
>
> So i can't put these options in the config file on the client side? If i
> understand, he server ask the client for PAP, CHAP or MS-CHAP method to
> authenticate? The client doesn't choose authentication method? Is it right?
>
If one authentication is not configured on the client side, pppd will answer
with a nak on the request and could offer another authentication method if
available (that the server may or not accept).

If one authentication method is configured on the client side but you don't want
this method to be used, add -chap or -pap for example respectively to your
options.

Gilles

Re: Re-2: Authentication problems

[James Carlson]

Gilles Espinasse writes:
> > So i can't put these options in the config file on the client side? If i
> > understand, he server ask the client for PAP, CHAP or MS-CHAP method to
> > authenticate? The client doesn't choose authentication method? Is it right?
> >
> If one authentication is not configured on the client side, pppd will answer
> with a nak on the request and could offer another authentication method if
> available (that the server may or not accept).

"Configured" in this case means that pppd has access to credentials --
a user name and pass phrase or shared secret for a given
authentication protocol -- and that it's not told _not_ to use them.

On the authenticatee ("client") side, all that you can do is agree to
the peer's request or suggest an alternative; you can't demand to be
identified with a given protocol.

Authentication must work that way.  Allowing the authenticatee to
specify the means of validation is insecure.

On the other side, if you're setting up a "server," you use the
'require-pap' keyword (note that "+pap" is obsolescent) to say that
the peers must use PAP to identify themselves.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>