Hiya, I have a Nortel VPN server authenticating off the freeradius server (12/06 snapshot) which uses an ldap server for its user information. The end users are using pptp. When using PAP to authenticate the client works fine. When using CHAP or EAP it doesnt. Unfortunatly without CHAP or EAP working.. the payloads in the packets are not encrypted using pptp only the link.
Quote from http://www.sans.org/infosecFAQ/encryption/VPN_sec.htm "Encryption in PPTP is handled by using Microsoft Point-to-Point Encryption (MPPE). MPPE provides only link encryption and in Windows 2000 you have to use EAP or MS-CHAP in order to encrypt PPTP payloads. MPPE uses the RSA RC4 stream cipher for 40-bit, 56-bit & 128-bit encryption." I have read the FAQ section on CHAP.. but putting the passwords directly in the users file is not an option. I store my passwords in the LDAP server in clear text. Can I have chap look to the ldap server for those passwords? I am of course using ssl/tls for all data connections to the ldap server. Thanks for any assistance you can offer.. Mike rad_recv: Access-Request packet from host 137.236.215.1:3793, id=188, length=92 User-Name = "mdh" CHAP-Password = "\256\212\321\205\0171\211\024\213\263\013\372\216l\017\210" CHAP-Challenge = "\221\302z\324\337Pv\274\240/8\350/\0275\345" Service-Type = Authenticate-Only Framed-Protocol = PPP NAS-IP-Address = 137.236.215.1 NAS-Port = 22844 NAS-Port-Type = Virtual rlm_ldap: - authorize rlm_ldap: performing user authorization for mdh rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mdh authorized to use remote access rlm_ldap: - authenticate rlm_ldap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".Login incorrect: [mdh/<CHAP-Password>] (from nas 137.236.215.1 port 22844) Sending Access-Reject of id 188 to 137.236.215.1:3793 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
