[pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought.

Steve Langasek vorlon at netexpress.net
Sun Oct 7 19:41:36 CDT 2001

On Sun, 7 Oct 2001, Josh Howlett wrote:

> We're doing the same thing - running  PPTP over 802.11 w/ no WEP and
> using MPPE for security (actually PPTP over PPPoE over 802.11).  It
> works great.

> We initially wanted it to integrate with our NT authentication, but you
> can't backend CHAP onto RADIUS via PAM.  So, we then looked at dumping
> the NT password hashes into Samba passwd format, and using the smb
> poptop patch.  But, it turns out MS-CHAP-v2 is vulnerable to a
> dictionary attack, so we dumped that (it worked :( ) in favour of
> mandatory random 10 character random passwords.  Yeah, the users loved
> it!

Hmm, it seems self-evident to me that any security built on top of user-chosen
passwords is vulnerable to a dictionary attack.  Even so, I admit I hadn't
given much thought to this.  There are still significant advantages for us if
we can integrate this both with our RADIUS server and our NT domain, so we'll
probably address the security questions by using centrally-assigned passwords.

> I'm in the process of knocking up a CDROM distribution that provides
> this functionality - let me know if'd you'd like an ISO.

If it doesn't make use of RADIUS and NT auth, I'm not sure how much use it
would be to me.  Thanks for the offer, though. :)

Steve Langasek
postmodern programmer

More information about the pptp-server mailing list