[pptp-server] Auth mechanism...

Faisal P Faisal.Puthuparackat at CQSL.com
Thu Sep 28 10:02:46 CDT 2000


Hi ppl,

I have a somewhat unique problem here....
We have a network that consists of a bunch of clients that need to access the
Internet. They are on ethernet. We need them to authenticate before they can
reach the Internet. The problem is we actually needed to implement authenticated
dhcp, but there no implementations that I know that exist at this point.
So finally we decided to go in for a VPN between the client and the server
running pptp. This allows to authenticate using regular CHAP and windoze ppl
can use it pretty easily. It also allows us to control who goes thru us etc.
Now we also needed ldap support with pptp, so I patched pppd to support a
generalized authentication mechanism (like the @file in the chap-secrets file,
if you put |program, pppd will now ask program to actually fetch the password.
So even chap works, provided the LDAP server can provide clear-text passwords.)
No, it isn't as insecure as it looks. I have taken care of that. But the
problem is that, before I had left for a holiday, I had this mechanism working
perfectly. We then had to reinstall the server. Now I can't even get the pptp
to work if I just patch pppd to use mppe. With noauth in the /etc/ppp/options
file, everything is fine (yeah right) but without it, I get the 'GRE: could not
read from PTY' error. I could not find a solution for it on the mailing list
that was really helpful. Now I suspect that pppd is dying when it's asked to
authenticate, but I can't figure how. It used to work perfectly earlier. 
(reminds me of my Windoze days)

Anyways, if anyone has any ideas, please let me know. I'll post the full error
logs later tomorrow..

BTW, if anyone wants the pppd patch that adds support for generalized password
retrieval, plese let me know. I'll post it.

Another more important question is: Am I doing this right ? I mean, all I
really need is authentication on an ethernet network. I'm sure this pptp thing
is overkill in some aspects. If anyone has any better ideas on how I could
achieve this, it would be greatly appreciated.

thanx again.
Faisal.





More information about the pptp-server mailing list