[pptp-server] IAS / RADIUS

Steve Jorgensen jorgens at coho.net
Fri Nov 30 00:15:04 CST 2001 

On Thursday, November 29, 2001 8:02 PM, Steve Langasek 
[SMTP:vorlon at netexpress.net] wrote:
> Steve,
>
> On Thu, Nov 29, 2001 at 05:12:01PM -0800, Steve Jorgensen wrote:
> > I'm interested in the idea of using poptop in a protected network, and
> > authenticating against a Windows NT domain.  The obvious way to do this 
> > would be to install IAS on a machine in the domain, and have the VPN 
server
> > use RADIUS for authentication.  I presume IAS can authenticate MS-CHAP
> > logons (It Microsoft, after all), so the only missing piece would be to 
let
> > poptop use RADIUS, right?
>
> > Can this be done?
>
> Not yet.  PPTP authentication under Linux is handled by pppd; right now,
> there's a patch that lets you do MS-CHAPv2, and a patch that lets you do
> RADIUS authentication, but there's not yet anything that lets you do
> MS-CHAPv2 authentication over RADIUS. :)  I'm working on such a beast,
> although it will be a bit before I have anything to show for the work.
> Interoperability with IAS seems like a reasonable goal.

(Sorry, Steve - I sent a copy of this to you personally while intending to 
reply to the group)

Thanks for the reply.  Now I'll probably make a fool of myself by 
speculating about things I know very little about.

Trying, in my mind, to expand upon what you said, I'm guessing that the 
reason PPP(TP) authentication through RADIUS does not now do MS-CHAP, et 
al, even if the RADIUS server can do it for you is that the interface to 
RADIUS is through something like PAM and is a plain-text only API?  If I 
guessed that right, it seems like a direct like to RADIUS would be nice 
because it would allow for any kind of password hashing the RADIUS server 
knows even if it is newer than the implementation of PPTP, be it a 
Microsoft thing, some new Cisco thing, or whatever.  Another thought would 
be to enhance PAM itself to provide more complete access to extra 
functionality of RADIUS.

I know this post makes many assumptions, and if any of them are wrong, I'm 
just blowing smoke, but I guess this is a good way to find out anything I 
don't yet get.

More information about the pptp-server mailing list