[pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought.

Josh Howlett Josh.Howlett at bristol.ac.uk
Sun Oct 7 17:02:11 CDT 2001


We're doing the same thing - running  PPTP over 802.11 w/ no WEP and
using MPPE for security (actually PPTP over PPPoE over 802.11).  It
works great.

We initially wanted it to integrate with our NT authentication, but you
can't backend CHAP onto RADIUS via PAM.  So, we then looked at dumping
the NT password hashes into Samba passwd format, and using the smb
poptop patch.  But, it turns out MS-CHAP-v2 is vulnerable to a
dictionary attack, so we dumped that (it worked :( ) in favour of
mandatory random 10 character random passwords.  Yeah, the users loved

I'm in the process of knocking up a CDROM distribution that provides
this functionality - let me know if'd you'd like an ISO.

cheers, josh.

On Sat, 6 Oct 2001, Steve Langasek wrote:

> Hello,
> My employer is in the process of deploying a wireless access solution which
> uses PPTP for security (since we all know WEP is useless, and IPSec is
> difficult when half of your potential customers run Win98).  Our existing
> server-side infrastructure is all Linux-based, right down to the PDC for our
> NT domain, which is running on Samba 2.2.1a.  We use RADIUS (freeradius) for
> authentication of all existing customers and for delivery of information such
> as static routes & session timeouts.
> The goal here is to have a PPTP server running on a Linux box that
> authenticates to the RADIUS server running freeradius, which then back-ends
> onto the Samba-based NT domain.
> Anyone gotten anywhere close to this, or will I effectively be building from
> scratch? :)
> I do see a 1999 mention of MSCHAPv2/MPPE patches for Linux ppp, but it's
> stated that this is a patch for portslave.  My understanding is that portslave
> is only applicable when dealing with PPP over serial interfaces, so I'm not
> clear on how existing patches would be integrated with a PPTP solution.  Is
> portslave the only Linux ppp software that currently supports RADIUS?
> If no one knows the answers, 'sok... I'll just fumble along until everything
> falls into place.  But if anyone can give me a jump-start on this stuff, it
> would be much appreciated. :)
> Regards,
> Steve Langasek
> postmodern programmer
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --

Josh Howlett, Network Supervisor,
Networking & Digital Communications,
Information Systems & Computing,
University of Bristol, U.K.
0117 928 7850 | josh.howlett at bris.ac.uk

More information about the pptp-server mailing list