>From [EMAIL PROTECTED] Wed Oct 31 15:31:57 2001
>Date: Wed, 31 Oct 2001 09:31:57 -0600
>From: Chris Parker [EMAIL PROTECTED]
>Subject: MPPE
>
>At 10:00 AM 10/31/2001 -0500, Matt Nowina wrote:
>>Hi Again,
>>
>>I've finally succeeded in successfully setting up MS-CHAP
authentication
>>for pptp clients (Thanks to Alan for his assistance with the
rlm_mschap
>>module),
>
>Excellent! :)
>
>>but I have hit a snag negotiating mppe encryption. It appears
>>that the cisco router doesn't understand or is not receiving mppe keys
>>from the radius server.
>>
>>In looking through the RFC for MS-CHAP, it states that the
access-accept
>>packet should contain one or no instances of the following:
>>
>>7 MS-MPPE-Encryption-Policy
>>8 MS-MPPE-Encryption-Type
>>12 MS-CHAP-MPPE-Keys
>>16 MS-MPPE-Send-Key
>>17 MS-MPPE-Recv-Key
>>
>>Although I can set these values under the 'users' file to send back
>>during the negotiation, I can't seem to figure out the proper syntax
to
>>declare them in octet form.
>
>What are the dictionary entires you have currently, and what does your
>users file look like now for the value?
Hi Chris,
The dictionary entries I have for the above attributes are from the
dictionary.microsoft file:
ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets
ATTRIBUTE MS-MPPE-Encryption-Type 8 octets
ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets
ATTRIBUTE MS-MPPE-Send-Key 16 octets
ATTRIBUTE MS-MPPE-Recv-Key 17 octets
I believe these should be set under the 'users' file in something like:
DEFAULT Auth-Type := MS-CHAP
MS-MPPE-Encryption-Policy = "0x(some_octet_here)",
#This in my case should send back a value of 2 to indicate required
encryption
MS-MPPE-Encryption-Type = "0x(some_octet_here)",
#This should send back a value of 6 to indicate 40bit & 128bit
encryption only
MS-CHAP-MPPE-Keys = "0x(some_octet_here)",
MS-MPPE-Send-Key = "0x(some_octet_here)",
MS-MPPE-Recv-Key = "0x(some_octet_here)"
#I'm not sure what should be sent here, but I assumed it would be set by
the algorithm automatically
>
>>The 2 other questions I had were first, is
>>the des function included with rlm_mschap able to negotiate 40bit &
>>128bit encryption or is it limited to 56-bit?
>
>Not sure on this one, as I'm not as familiar with that module.
>
>>And secondly whether there
>>is a way to use the radius server only for authentication and then
punt
>>the encryption process back to the router after a user has been
>>successfully authenticated?
>
>Not quite sure what you mean by this. Can you elaborate a little more?
>
Well I guess what I was thinking, was that I don't want a constant
stream of encryption/decryption packets streaming from the client to the
router and then from the router to the radius server during the entire
session. If the radius server was just used for authentication and then
told the router to negotiate the encryption based on the settings above
it would be a more efficient setup.
--Matt
>-Chris
>--
> \\\|||/// \ Chris Parker - Manager, Development Engineering
> \ ~ ~ / \ WX *is* Wireless! \ [EMAIL PROTECTED]
> | @ @ | \ http://www.starnetwx.net \ (847) 963-0116
>oOo---(_)---oOo--\-----------------------------------------------------
-
> \ Without C we would have 'obol', 'basi', and
'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
