[pptp-server] NT Authenication - slighty off topic

John Van Ostrand john at netdirect.ca
Wed Jul 12 07:30:37 CDT 2000


I've been looking for this for a while and I've seen some posts in the past
that refer to ways to do this but I haven't put any in place yet.

Generally the other posts suggest using a RADIUS server on NT. A patch needs
to be applied to pppd to provide RADIUS authentication. When I looked at
this the patch did not support CHAP (or MS-CHAP) authentication. This means
that the password information was transmitted weakening the security.

In the mean-time I have been using duplicate users, one in NT and one in
chap-secrets. When the PPTP session is established the authentication
"passes through" to the NT server (if Login to Network is checked in DUN.)

There are some tricks to this.

1. The user name must be specified using the domain name in the chap-secrets
file, e.g. DOMAIN\\username

2. The domain name used in the chap-secrets file must use the same case as
the domain specified in the network properties in Win98 and Win95 (If I
recall WinNT automatically upper cases the domain name.)

John.

> -----Original Message-----
> From: Yan Seiner [mailto:yan at cardinalengineering.com]
> Sent: Wednesday, July 12, 2000 7:45 AM
> To: Colin Coe; 'pptp-server at lists.schulte.org'
> Subject: Re: [pptp-server] NT Authenication - slighty off topic
> 
> 
> You really don't need to.  The generic account will allow them to log
> in; it won't allow access to win shares as long as the generic account
> is not a "real" user account.  And since it's a smb only access, you
> really can't get a login shell either (or set up the generic 
> user with a
> /bin/nosh account, where nosh is a script that simply says you're not
> allowed to log in.)
> 
> In fact, I'd make sure that the log in account is not a user account
> anywhere.
> 
> Not perfectly secure of course, but easy to administer and use.
> 
> --Yan
> 
> Colin Coe wrote:
> > 
> > Hi all
> > 
> > It works!  Now I am faced with the problem of 50 users who 
> want to use VPN
> > from home or when traveling.  For my testing I used a 
> generic use account
> > and 'hard coded' this in /etc/ppp/chp-secrets.  How can I 
> get PoPToP to get
> > NT to authenicate the users as they log in.
> > 
> > TIA
> > 
> > Colin Coe
> > Systems Administrator
> > 
> > M E T H O D  +  M A D N E S S
> > ........................................www.method.com.au
> > 
> > 1st Flr Churchill Court               Ph: +(08) 9388 6100
> > 331 Hay Street                        Fx: +(08) 9380 6537
> > Subiaco, WA 6008
> > 
> > Disclaimer...............................................
> > 
> > E-mail is not secure and there is a risk that messages
> > may be corrupted in transmission. We will send you a
> > written confirmation of this message, if you send us a
> > specific written request for such confirmation.
> > 
> > This e-mail is intended only for the use of the
> > individual or entity named above and may contain
> > information that is confidential or privileged. If you
> > are not the intended recipient, you are hereby notified
> > that any dissemination, distribution or copying of this
> > e-mail is strictly prohibited. If you have received this
> > e-mail in error, please notify us immediately by return
> > e-mail or telephone (08) 9388 6100 and destroy the
> > original message. Thank you.
> > 
> > ........................................................
> > 
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
> 



More information about the pptp-server mailing list