[pptp-server] pptp client - FAQ stuff

Neale Banks neale at lowendale.com.au
Thu Feb 24 15:20:19 CST 2000


On Thu, 24 Feb 2000, Nathan Meyers wrote:

> On Thu, Feb 24, 2000 at 10:40:36AM -0800, Nicholas M. Kirsch wrote:
> > 
> > I just heard the mention that CHAP is not bi-directional, contrary to the
> > PPP FAQ? Could someone give me some tips on how to disable the
> > bi-directional features. I don't like have to have a shared server secret
> > on my client.
> 
> CHAP relies on keeping the same secret on both sides of the connection;
> nobody here can change the protocol (not sure what you mean by
> bi-directional or not bi-directional). If you are willing to do without
> the Microsoft encryption, you can disable the CHAP authentication for
> some other method.

There are two separate (easily confused) issues here, AFAIK:

1) CHAP can be used bi-directionally, but it is not *necessary* (e.g. it
is possible for an ISP to use CHAP on Access Servers, but ISP clients
generally do not authenticate their ISP ;-).

2) With (one-way) CHAP authentication, it is necessary that both sides
have access to the clear-text of the shared secret (excepton: AFAIK, the
ms-perversions of CHAP tinker with things such that a hash of the shared
secret will suffice on one side).

The original question above appears to address the first of these issues
and leads straight back to the "peer refused to authenticate" issues: your
"client"/caller (presumably running linux pptp client?) must be configured
to *not* ask the "server" to provide authentication.

If you're using an MS-client then AFAIK this question should not arise as
these clients don't (can't?) ask the server to provide authentiction.

HTH,
Neale.





More information about the pptp-server mailing list