[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PPP & CHAP: Clarification



Hi Folks:

I would like to clarify how use PPPD with ISPs that require
CHAP authentication because most of the documentation on
the subject is misleading. (i.e. This applies to dialup connections.)

The most important thing to remember is you  need to edit
both the CHAP secrets file--/etc/ppp/chap-secrets--and
the peer file--/etc/ppp/peers/peer_file_name, not just the
CHAP secrets file.

1) Two typical entries in the  CHAP secrets file are as follows:

login@isp.com    *    secret_password    *

login@isp.com    isp_name    secret_password    *

The login@isp.com entry is usually the login  ID required
by the ISP that the standards describe as a system name
or identifier. In any case, this is the "name" field transmitted,
in a CHAP challenge/response packet. However, it will
NOT be transmitted unless the peer file is configured
correctly--which I will explain below !

The second field--whose value is isp_name and '*' in the above
examples--identifies the entity performing CHAP authentication.
For ISPs that have a static authenticator, specifying a value
is a good idea and necessary in some cases. For ISPs that
have multiple or dynamic authenticators--such as AT&T Worldnet,
you must use the wildcard '*' as the value. This corresponds
to the value of  "name" field received in the CHAP challenge packet.

The third field--secret_password--is usually the password required
by the ISP but is logically the secret used in calculating the
"value" field of the CHAP challenge response packet--as
described by the standards.

The last field is an optional IP address which the documentation
describes accurately. (i.e. It is rarely used.)

2) There are three crucial entries in the  peer file. Examples
of entries are as follows:

#
# ISP login ID or local system identifier.
#  Corresponds to the first field in chap-secrets.
#
user    login@isp.com
#
# Remote authentication system identifier.
# Corresponds to the third field in chap-secrets.
#
name    *
#
#  The chat script for connecting to the ISP.
#
connect    "/usr/sbin/chat -v -f/etc/chatscripts/isp.chat.script"

The "user" entry is mandatory for CHAP authentication
to work at all--which isn't clear in most of the documentation.
In addition the value--login@isp.com in the example--must
correspond to the first field of an entry in the CHAP secrets file.

The value of the "name"  entry should correspond to the
third field of an entry in the CHAP secrets file.
However,  CHAP authentication  may work if it is incorrect
or missing.

Finally,  the "connect" entry specifies the CHAT script
used to dial the ISP and insure that PPP begins executing.

3) An example of a typical chat script is as follows:
#
# Static modem response strings.
#
ABORT    BUSY
ABORT    "NO CARRIER"
ABORT    VOICE
ABORT    "NO DIALTONE"
#
# Send the modem training command and set the defaults.
# A slow response indicates a modem malfunction.
#
TIMEOUT    3
''     AT
OK    ATZ
#
# Perform the dialup: Connecting may take some time.
#
TIMEOUT    90
OK    ATDT898-2910
CONNECT    ''
#
# Wait for some indication that things are working
# from the ISP to insure PPP has enough time to begin execution.
#
# Note: "Sign-on:"  is sent by AT&T Worldnet just before
# it begins PPP negotiations.
#
TIMEOUT 8
Sign-on:     \d\c

Note that it is important to wait for the remote system to start up PPP
before beginning PPP negotiations.
The CHAP authentication will occur during PPP negotiations.

Best Regards,

Paul R.




--
Paul Romero

RCOM Communications Software

Phone/Fax: (510)339-2628
E-Mail: paulr@rcom-software.com




Reply to: