Re: [lwip-users] PPP MPPE "Optional" Support

Wed, 10 Aug 2016 21:10:24 -0700 

On 8/10/2016 7:30 PM, Greg Smith wrote:


Hello.


I have some devices in the field that have all PPP authentication 
turned off for PPP.  Now that lwIP supports MSCHAPv2 and MPPE (in the 
2.0.0 betas), I'd like to enable those features on my devices to 
encrypt the traffic. But I also need to support older units that are 
running older lwIP versions and don't have authentication support.



If I ppp_set_auth(, PPPAUTHTYPE_ANY,,) in my startup code, I can get 
peers to connect with both no authentication and MSCHAPv2 
successfully.  (Yea!)



However, if I then try ppp_set_mppe(pppPcb, PPP_MPPE_ENABLE | 
PPP_MPPE_REFUSE_128);  (with or without the REFUSE flag), my clients 
with no authentication fail because MPPE is "required".  (LwIP 
responds with "MPPE required, but MS-CHAP[v2] auth not performed.".)



I'd like to make it so MPPE is only required if MSCHAPv2 negotiates.  
(Alternately, don't require MPPE if no authentication is negotiated, 
but require it (and fail) if any other form is negotiated.)  Is there 
a way to do this?  Or is that behavior completely unsupported?



I've thought about using PPP_NOTIFY_PHASE in some way, but I haven't 
explored that yet.  Would that be viable (even if clunky) to manually 
do ppp_set_mppe after MSCHAPv2 negotiates?





It's been a long time since I was a PPP expert, but if I remember 
correctly, the sequence of PPP negotiations is LCP (which negotiates 
if/which authentication protocol will be used), followed by 
authentication (if any), followed by other negotiations (IPCP, CCP, 
etc).  If that's correct, then you won't have to enable CCP (and/or 
MPPE) until after your LCP state machine reaches the Opened state, so 
you'd know by then if MSCHAPv2 was negotiated or not?



I can't say what the implications would be with the LwIP PPP as I 
haven't used it.



Or is even that poor practice to change LCP options in the middle of 
the negotiation?





CCP (where MPPE would be negotiated) is completely independent of LCP.  
None of your LCP options would have to change once you've gotten to the 
LCP Opened state.  Once LCP finishes, you'll know if you've negotiated 
MSCHAPv2 and if you even need to enable CCP (and MPPE) negotiations.


Patrick Klos
Klos Technologies, Inc.


_______________________________________________
lwip-users mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/lwip-users





















					Reply via email to