[pptp-server] pppd, CHAP and RADIUS (was: Licensing and MSCHAP binaries for pppd)

Steve Langasek vorlon at netexpress.net
Sun Oct 7 19:55:57 CDT 2001

On Mon, 8 Oct 2001, Neale Banks wrote:

> [...]
> > Also, I'm in the process of extending pppd's plugin support to include hooks
> > for alternate CHAP authenticators, which is functionality that my specific
> > application requires (authenticating PPTP connections against a RADIUS server
> > instead of against a chap-secrets file).  Depending on the license
> > restrictions the pppd authors choose to place on their plugin API, it may be
> > possible to provide MS-CHAPv2 support in the form of a freely-distributable
> > plugin.

> It might be even simpler than that: RFC2865 section 2.2 clearly (at least
> to me it's clear ;-) states that where you are doing CHAP and RADIUS then
> the CHAP computations are in the RADIUS server - i.e. your NAS (in this
> case pppd) does NOT need to have any CHAP computations in it.

> This should mean that MS-CHAP (ugh, but not MPPE :-( ) can live
> exclusively in the RADIUS server (e.g. see
> ftp://ftp.freeradius.org/pub/radius/contrib/mschap.tar.gz ).  What pppd
> does need to know is then limited to negotiating MSCHAP auth in LCP and
> how to assemble the relevant RADIUS request and interpret the RADIUS
> response (see MS's "VENDOR" RADIUS A-V's) - which not necessarily
> inconsistent with your suggestion of plugin CHAP authenticators.

Certainly, this is true for my circumstances.  I'm also interested in a
solution for the general case, where RADIUS is not involved.  I actually have
the chap-radius plugin for pppd all but written at this point, and am working
on verifying that freeradius's existing MSCHAP support works with MSCHAPv2
(which I suspect it does not -- yet).

> Smart ideas on how to approach MPPE most gratefully accepted. Hmmm...

Oh, and most of MPPE should sit in the kernel.  So all in all, the pppd code
doesn't have to be too ugly. :)

> 2) Is this starting to turn into a Good Argument for L2TP/IPSec? ;-)

Do either of those options allow me to control IP assignment using centralized
radius servers? :)  If not, then hacking on one is as good as hacking any
other, I suppose. :)

Steve Langasek
postmodern programmer

More information about the pptp-server mailing list