Hi Again, I've finally succeeded in successfully setting up MS-CHAP authentication for pptp clients (Thanks to Alan for his assistance with the rlm_mschap module), but I have hit a snag negotiating mppe encryption. It appears that the cisco router doesn't understand or is not receiving mppe keys from the radius server.
In looking through the RFC for MS-CHAP, it states that the access-accept packet should contain one or no instances of the following: 7 MS-MPPE-Encryption-Policy 8 MS-MPPE-Encryption-Type 12 MS-CHAP-MPPE-Keys 16 MS-MPPE-Send-Key 17 MS-MPPE-Recv-Key Although I can set these values under the 'users' file to send back during the negotiation, I cant seem to figure out the proper syntax to declare them in octet form. The 2 other questions I had were first, is the des function included with rlm_mschap able to negotiate 40bit & 128bit encryption or is it limited to 56-bit? And secondly whether there is a way to use the radius server only for authentication and then punt the encryption process back to the router after a user has been successfully authenticated? Thanks again for your help, Matt ----------------------- Matt Nowina Network Operations InQuent Technologies 416-645-4633 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
