[pptp-server] peer refused to authenticate

[Neale Banks]

Greetings all,

This kind of question is coming up a litle to often ("frequently" even?)
so I've cobbled together a quick draft of a FAQ+A.

Corrections/comments/clarifications/etc gratefully accepted.

Warning: this was written off the cuff - it is *VERY* untested and might
be riddled with errors/furfies/etc

The usual disclaimers apply: absolutely no warranties, it's offered in the
hope that someone, somewhere might find it helpful.

Here 'tis:

---------------------------------------8<---------------------------------------

pre-DRAFT: FAQ+A - ppp says peer "refused to authenticate"

[this is not a pptp issue, it's a ppp "feature" which is not exclusive
to pptp]

[ppp is a symetrical protocol, ditch any ideas of client and server;
also it's not a "user" which is authenticated but a "host"]

Scenario: hostA initiates ppp to hostB (could be over pptp, but could 
equally be any other ppp transport).  We are using CHAP (or some
-MS derivative thereof) for authentication (ppp CHAP options are 
not covered here - suffice to say that hostb must be configured to
request/require CHAP and hosta must be configured to agree to CHAP).

In general, hostB will be "listening" for the ppp connection and will
require that the caller authenticate itself.  By default, pppd requires
its peer (in this case, hostA) to authenticate itself - but we need an
entry in the chap-secrets file so host has a reference against 
which to authenticate.

The format of the chap-secrets file on hostB then should be:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
<userA>		*	<secret>		*

Where <userA> is the username being provided by hostA and <secret>
is the associated "password".

On hostA, it is necessary that ppp is configured to *NOT* "require the
peer to authenticate".  With MS "clients", this is the default and
this problem shouldn't arise - however with *n*x pppd the default is
to *always* "require the peer to authenticate".  This default 
behavious of pppd is changed by passing the "noauth" option to pppd.

With the linux pptp client this is accomplished by including "noauth"
on the command line invocation, for example:

	[need *correct* example here]

[here I'm *very* open to correction/clarification...]

The sustem calling with the linux pptp client needs to have the
"password" for the connection in its chap-secrets, for example:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
*		<hostB> <secret>		*

[I *think* that's all that's required - have I missed something?]

Of course it is possible that you will desire the called system to
also authenticate itself back to the caller - hopefully the above gives
enought insight to enable correct configuration of this.

A WARNING:  In general you do *NOT* want the "noauth" pppd option
configured on a system which is "listening" for a ppp connection (e.g.
a system running PoPToP) - for that would allow anyone to connect 
without even asking them to provide a name/password.

---------------------------------------8<---------------------------------------