[pptp-server] pppd, CHAP and RADIUS (was: Licensing and MSCHAP binaries for pppd)

Neale Banks neale at lowendale.com.au
Sun Oct 7 17:04:58 CDT 2001

On Sun, 7 Oct 2001, Steve Langasek wrote:

> Also, I'm in the process of extending pppd's plugin support to include hooks
> for alternate CHAP authenticators, which is functionality that my specific
> application requires (authenticating PPTP connections against a RADIUS server
> instead of against a chap-secrets file).  Depending on the license
> restrictions the pppd authors choose to place on their plugin API, it may be
> possible to provide MS-CHAPv2 support in the form of a freely-distributable
> plugin.

It might be even simpler than that: RFC2865 section 2.2 clearly (at least
to me it's clear ;-) states that where you are doing CHAP and RADIUS then
the CHAP computations are in the RADIUS server - i.e. your NAS (in this
case pppd) does NOT need to have any CHAP computations in it.

This should mean that MS-CHAP (ugh, but not MPPE :-( ) can live
exclusively in the RADIUS server (e.g. see
ftp://ftp.freeradius.org/pub/radius/contrib/mschap.tar.gz ).  What pppd
does need to know is then limited to negotiating MSCHAP auth in LCP and
how to assemble the relevant RADIUS request and interpret the RADIUS
response (see MS's "VENDOR" RADIUS A-V's) - which not necessarily
inconsistent with your suggestion of plugin CHAP authenticators.

Smart ideas on how to approach MPPE most gratefully accepted. Hmmm...
1) Is this what charlie was talking about solving?
2) Is this starting to turn into a Good Argument for L2TP/IPSec? ;-)

Yes, at the end of the day all this does is move (some of) the problem.


More information about the pptp-server mailing list