Authentificating with certificates ("unknown authentication type 13; Naking")

Authentificating with certificates ("unknown authentication type 13; Naking")

[Boky Gmail]

Hi all.

I was wondering if it is possible to use certificates instead of
passwords for authentification over PPTP?

Google turned up nothing usefull.

When logging the connection this is what PPP says("pppd call work
logfd 1 nodetach debug dump"):

---snip---
rcvd [LCP EchoRep id=0x0 magic=0x110e4d94]
rcvd [EAP Request id=0x12 TLS 20]
EAP: unknown authentication type 13; Naking
sent [EAP Response id=0x12 Nak <Suggested-type 13>]
rcvd [LCP TermReq id=0x4 11 0e 4d 94 00 3c cd 74 00 00 02 b3]
LCP terminated by peer (^Q^NMM-^T^@<M-Mt^@^@^BM-3)
sent [LCP TermAck id=0x4]
Terminating on signal 2.
---snip---

Now, I know for a fact that our administrator has certificate-only VPN
login policy in place.

I am suspecting that "EAP: unknown authentication type 13; Naking"
means that the server requested certificate-based authentification but
the client does not have any implementation to handle this and
therefor the conection terminated.

Is my hunch correct?

If it is, will certificate authentification be ever possible? If so,
is there an ETA? A feature-request, perhaps?

If no, can someone please explain to me how to enable authentification
by certificate?


PS: This question was first posted to the pptpclient-dev mailing list
and I was told it is a PPP issue.

Sniplets (reply by James Cameron):
--snip--
It has nothing to do with PPTP, because at the stage that
this happens only pppd has anything to do with the task.  Ask the PPP
mailing list.
--snip--

He also suggested looking here:
http://marc.theaimsgroup.com/?l=linux-ppp&m\x112177308427341&w=2

But that did not help, either.



Thank you all,
Bojan

Authentificating with certificates ("unknown authentication type 13; Naking")

[Boky Gmail]

Note: resending; it seems it didn't get through the first time round.
----

Hi all.

I was wondering if it is possible to use certificates instead of
passwords for authentification over PPTP?

Google turned up nothing usefull.

When logging the connection this is what PPP says("pppd call work
logfd 1 nodetach debug dump"):

---snip---
rcvd [LCP EchoRep id=0x0 magic=0x110e4d94]
rcvd [EAP Request id=0x12 TLS 20]
EAP: unknown authentication type 13; Naking
sent [EAP Response id=0x12 Nak <Suggested-type 13>]
rcvd [LCP TermReq id=0x4 11 0e 4d 94 00 3c cd 74 00 00 02 b3]
LCP terminated by peer (^Q^NMM-^T^@<M-Mt^@^@^BM-3)
sent [LCP TermAck id=0x4]
Terminating on signal 2.
---snip---

Now, I know for a fact that our administrator has certificate-only VPN
login policy in place.

I am suspecting that "EAP: unknown authentication type 13; Naking"
means that the server requested certificate-based authentification but
the client does not have any implementation to handle this and
therefor the conection terminated.

Is my hunch correct?

If it is, will certificate authentification be ever possible? If so,
is there an ETA? A feature-request, perhaps?

If no, can someone please explain to me how to enable authentification
by certificate?


PS: This question was first posted to the pptpclient-dev mailing list
and I was told it is a PPP issue.

Sniplets (reply by James Cameron):
--snip--
It has nothing to do with PPTP, because at the stage that
this happens only pppd has anything to do with the task.  Ask the PPP
mailing list.
--snip--

He also suggested looking here:
http://marc.theaimsgroup.com/?l=linux-ppp&m\x112177308427341&w=2

But that did not help, either.



Thank you all,
Bojan

Re: Authentificating with certificates ("unknown authentication type 13; Naking")

[James Carlson]

Boky Gmail writes:
> Note: resending; it seems it didn't get through the first time round.

No, it came through fine the first time.

> I was wondering if it is possible to use certificates instead of
> passwords for authentification over PPTP?

"Possible"?  Sure; you've got source code.

> EAP: unknown authentication type 13; Naking

That's EAP-TLS.  At least for debug, we should add decoding of the
well-known types.

> Now, I know for a fact that our administrator has certificate-only VPN
> login policy in place.

Sounds likely.

> I am suspecting that "EAP: unknown authentication type 13; Naking"
> means that the server requested certificate-based authentification but
> the client does not have any implementation to handle this and
> therefor the conection terminated.

Right.

> Is my hunch correct?

Yes.

> If it is, will certificate authentification be ever possible?

Sure; it's possible.

> If so,
> is there an ETA? A feature-request, perhaps?

Unless you're volunteering to write the code or know some who is
volunteering (and has the right equipment to test the results
properly), then I can't imagine what the ETA would be.  This is open
source; things get done because someone cares about the result, not
_just_ because there's a request.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: Authentificating with certificates ("unknown authentication type 13; Naking")

[Boky Gmail]

> Unless you're volunteering to write the code or know some who is
> volunteering (and has the right equipment to test the results
> properly), then I can't imagine what the ETA would be.  This is open
> source; things get done because someone cares about the result, not
> _just_ because there's a request.
> 

Sadly, C isn't something I speak nativly. If someone is willing to
pick up the ball I'd be more than happy to help with testing/reading
specifications et al.

Thanks for reply nevertheless.

Re: Authentificating with certificates ("unknown authentication type

[Jan Just Keijser]

hi all,

there already is a patch to do EAP-TLS authentication with ppp; see
  http://eaptls.spe.net
for details. I've just completed the patch against ppp-2.4.3 to allow 
MPPE encryption with EAP-TLS. I have created two versions:
- one against the ppp_mppe module which supports 128bit MPPE but no MPPC
- one against the ppp_mppe_mppc module which supports 40/56/128 bit MPPE 
and MPPC (but there are some licensing issues, I believe, with using MPPC).
Tested it with both XP and W2K as clients, Linux as a PoPToP server - 
works beautifully :)

anybody interested?

cheers,

JJK

>Boky Gmail writes:
>> Note: resending; it seems it didn't get through the first time round.
>
>No, it came through fine the first time.
>
>> I was wondering if it is possible to use certificates instead of
>> passwords for authentification over PPTP?
>
>"Possible"?  Sure; you've got source code.
>
>> EAP: unknown authentication type 13; Naking
>
>That's EAP-TLS.  At least for debug, we should add decoding of the
>well-known types.
>
>> Now, I know for a fact that our administrator has certificate-only VPN
>> login policy in place.
>
>Sounds likely.
>
>> I am suspecting that "EAP: unknown authentication type 13; Naking"
>> means that the server requested certificate-based authentification but
>> the client does not have any implementation to handle this and
>> therefor the conection terminated.
>
>Right.
>
>> Is my hunch correct?
>
>Yes.
>
>> If it is, will certificate authentification be ever possible?
>
>Sure; it's possible.
>
>> If so,
>> is there an ETA? A feature-request, perhaps?
>
>Unless you're volunteering to write the code or know some who is
>volunteering (and has the right equipment to test the results
>properly), then I can't imagine what the ETA would be.  This is open
>source; things get done because someone cares about the result, not
>_just_ because there's a request.
>
>-- 
>James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Authentificating with certificates ("unknown authentication type 13; Naking")

[Boky Gmail]

Yes, we know about EAP-TLS.

But EAP-TLS does not allow you to use MPPE/MPPC (128bit) since
MPPE/MPPC patch expects that you use MS-CHAP[v2] authentification and
EAP-TLS patch uses EAP authentification.

Did you hack the EAP-TLS patch to provide correct credentials to
MPPE/MPPC patch. Are you sure you are using MPPE/MPPC?

I thought I was (PPTP said in output log it negotiated MPPE 128bit)
but I was getting errors like "Unknown protocol 0x??...".

As it turns out when I added "require-mppe" to my options the tunnel
was not being setup anymore and I started getting errors in the lines
of "MS-CHAP[v2] required for MPPE/MPPC".

If you have a patch for this we'd of course be more than happy to se it.

Cheers,
Bojan

On 10/20/05, Jan Just Keijser <jan.just.keijser@gmail.com> wrote:
> hi all,
>
> there already is a patch to do EAP-TLS authentication with ppp; see
>   http://eaptls.spe.net
> for details. I've just completed the patch against ppp-2.4.3 to allow
> MPPE encryption with EAP-TLS. I have created two versions:
> - one against the ppp_mppe module which supports 128bit MPPE but no MPPC
> - one against the ppp_mppe_mppc module which supports 40/56/128 bit MPPE
> and MPPC (but there are some licensing issues, I believe, with using MPPC).
> Tested it with both XP and W2K as clients, Linux as a PoPToP server -
> works beautifully :)

Re: Authentificating with certificates ("unknown authentication type

[Jan Just Keijser]

I have hacked pppd to allows MPPE 128 bit encryption. The Windows PPTP 
VPN status screen tells me it is using MPPE128 encryption but no 
compression; ethereal dumps show me the data is compressed/encrypted. 
Without the MPPE encryption I can see still the original packets inside 
the GRE tunnel, with MPPE I cannot. This version is available on 
http://eaptls.spe.net in the download section.

I have also created a hacked version of pppd in combination with 
ppp_mppe_mppc that allow MPPE+MPPC. With this module, the PPTP VPN 
status screen tells me it is using MPPE128 encryption (or MPPE40/MPPE56) 
and MPPC compression. This version is not yet available on the internet 
but I am working on a DKMS version of the ppp_mppe_mppe module. I have a 
patched ppp-2.4.3 source tree available.

JJK

Boky Gmail wrote:

>Yes, we know about EAP-TLS.
>
>But EAP-TLS does not allow you to use MPPE/MPPC (128bit) since
>MPPE/MPPC patch expects that you use MS-CHAP[v2] authentification and
>EAP-TLS patch uses EAP authentification.
>
>Did you hack the EAP-TLS patch to provide correct credentials to
>MPPE/MPPC patch. Are you sure you are using MPPE/MPPC?
>
>I thought I was (PPTP said in output log it negotiated MPPE 128bit)
>but I was getting errors like "Unknown protocol 0x??...".
>
>As it turns out when I added "require-mppe" to my options the tunnel
>was not being setup anymore and I started getting errors in the lines
>of "MS-CHAP[v2] required for MPPE/MPPC".
>
>If you have a patch for this we'd of course be more than happy to se it.
>
>Cheers,
>Bojan
>
>On 10/20/05, Jan Just Keijser <jan.just.keijser@gmail.com> wrote:
>  
>
>>hi all,
>>
>>there already is a patch to do EAP-TLS authentication with ppp; see
>>  http://eaptls.spe.net
>>for details. I've just completed the patch against ppp-2.4.3 to allow
>>MPPE encryption with EAP-TLS. I have created two versions:
>>- one against the ppp_mppe module which supports 128bit MPPE but no MPPC
>>- one against the ppp_mppe_mppc module which supports 40/56/128 bit MPPE
>>and MPPC (but there are some licensing issues, I believe, with using MPPC).
>>Tested it with both XP and W2K as clients, Linux as a PoPToP server -
>>works beautifully :)
>>    
>>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>  
>