[pptp-server] peer refused to authenticate
Neale Banks
neale at lowendale.com.au
Sat Feb 19 16:20:31 CST 2000
Greetings all,
This kind of question is coming up a litle to often ("frequently" even?)
so I've cobbled together a quick draft of a FAQ+A.
Corrections/comments/clarifications/etc gratefully accepted.
Warning: this was written off the cuff - it is *VERY* untested and might
be riddled with errors/furfies/etc
The usual disclaimers apply: absolutely no warranties, it's offered in the
hope that someone, somewhere might find it helpful.
Here 'tis:
---------------------------------------8<---------------------------------------
pre-DRAFT: FAQ+A - ppp says peer "refused to authenticate"
[this is not a pptp issue, it's a ppp "feature" which is not exclusive
to pptp]
[ppp is a symetrical protocol, ditch any ideas of client and server;
also it's not a "user" which is authenticated but a "host"]
Scenario: hostA initiates ppp to hostB (could be over pptp, but could
equally be any other ppp transport). We are using CHAP (or some
-MS derivative thereof) for authentication (ppp CHAP options are
not covered here - suffice to say that hostb must be configured to
request/require CHAP and hosta must be configured to agree to CHAP).
In general, hostB will be "listening" for the ppp connection and will
require that the caller authenticate itself. By default, pppd requires
its peer (in this case, hostA) to authenticate itself - but we need an
entry in the chap-secrets file so host has a reference against
which to authenticate.
The format of the chap-secrets file on hostB then should be:
# Secrets for authentication using CHAP
# client server secret IP addresses
<userA> * <secret> *
Where <userA> is the username being provided by hostA and <secret>
is the associated "password".
On hostA, it is necessary that ppp is configured to *NOT* "require the
peer to authenticate". With MS "clients", this is the default and
this problem shouldn't arise - however with *n*x pppd the default is
to *always* "require the peer to authenticate". This default
behavious of pppd is changed by passing the "noauth" option to pppd.
With the linux pptp client this is accomplished by including "noauth"
on the command line invocation, for example:
[need *correct* example here]
[here I'm *very* open to correction/clarification...]
The sustem calling with the linux pptp client needs to have the
"password" for the connection in its chap-secrets, for example:
# Secrets for authentication using CHAP
# client server secret IP addresses
* <hostB> <secret> *
[I *think* that's all that's required - have I missed something?]
Of course it is possible that you will desire the called system to
also authenticate itself back to the caller - hopefully the above gives
enought insight to enable correct configuration of this.
A WARNING: In general you do *NOT* want the "noauth" pppd option
configured on a system which is "listening" for a ppp connection (e.g.
a system running PoPToP) - for that would allow anyone to connect
without even asking them to provide a name/password.
---------------------------------------8<---------------------------------------
More information about the pptp-server
mailing list