Re: linux client dialing into WinNT RAS server
Mark H. Mabry wrote:
> Hi,
> I'm trying to connect to my work's WinNT RAS server. During initial
> negotiations between the machines, I get this problem with the CHAP
> authentication:
How surprising (but read on).
> Jan 16 09:44:36 crimson pppd[18696]: sent [LCP ConfReq id=0x1 <mru 1500>
> <asyncmap 0x0> <magic 0x9951290e> <pcomp> <accomp>]
> Jan 16 09:44:36 crimson pppd[18696]: rcvd [LCP ConfReq id=0x0 <asyncmap 0x0>
> <auth chap msoft> <magic 0x420> <pcomp> <accomp>]
> Jan 16 09:44:36 crimson pppd[18696]: sent [LCP ConfRej id=0x0 <auth chap msoft>
> ]
> Jan 16 09:44:36 crimson pppd[18696]: rcvd [LCP ConfAck id=0x1 <mru 1500>
> <asyncmap 0x0> <magic 0x9951290e> <pcomp> <accomp>]
> Jan 16 09:44:36 crimson pppd[18696]: rcvd [LCP TermReq id=0x1 00 00 02 dc]
> Jan 16 09:44:36 crimson pppd[18696]: sent [LCP TermAck id=0x1]
>
> Looks to me like my machine is rejecting the request to use Microsoft CHAP
> authentication. Is that correct? Has anyone else seen this?
This is indeed correct. I believe the latest HAMM ppp package includes support for
ms-chap. If you like to run stable software though and still have bo (I do) then
there *is* a solution. If you're using the RAS which came with NT 4.0 (even if you
have Service Pak 3) NT you may have to get into the registry. But first you can try
the following. You need to set your ppp options so that pap authentication is
possible. I use something like the following command line:
/usr/sbin/pppd /dev/ttyS0 38400 user DOMAIN\\username crtscts lock modem connect
"/usr/sbin/chat -v -t 120 ABORT BUSY ABORT 'NO CARRIER' '' ATZ OK ATE0V1 OK
ATDT555-1212 CONNECT"
Note that I use DOMAIN\\username for the 'user' parameter because I'm logging into
an NT box that wants me to log on as a domain user. If your user is defined locally
then you don't need to DOMAIN\\ part. You will also need to add your password to
the /etc/ppp/pap-secrets file.
You'll need a line like:
DOMAIN\\user * password
When you dial in thus to the NT box you'll get logs like:
Jan 14 17:19:20 chilin pppd[22286]: sent [LCP ConfReq id=0x1 <mru 1500> <magic 0
xf2c0d760> <pcomp> <accomp>]
Jan 14 17:19:21 chilin pppd[22286]: rcvd [LCP ConfReq id=0x0 <asyncmap 0x0> <aut
h chap msoft> <magic 0x7f95> <pcomp> <accomp>]
Jan 14 17:19:21 chilin pppd[22286]: sent [LCP ConfNak id=0x0 <auth pap>]
Jan 14 17:19:21 chilin pppd[22286]: rcvd [LCP ConfAck id=0x1 <mru 1500> <magic 0
xf2c0d760> <pcomp> <accomp>]
Jan 14 17:19:21 chilin pppd[22286]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <aut
h pap> <magic 0x7f95> <pcomp> <accomp>]
Note how this time the client ConfNak's, suggesting instead auth pap? That's the
stuff you're after. If this doesn't work, you probably have to modify the registry
on the NT box to effectively disable ms-chap. Start up regedt32 and go to
\\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP. There you'll see
two values, ForceEncryptedPassword and ForceStrongEncryption. Set them both to
zero. Then try again. If that doesn't do the trick. Go back to the same spot in the
registry. There should be a subkey there called CHAP. Delete the whole subkey. Then
try again. Make sure you stop/start the RAS service after you change settings in
the registry. This should work. Note that there is an article in the M$ Knowledge
Base. You should look it up on their web page for more in depth info on the
problem.
>
>
> I'm using ppp-2.2.0f-23, and kernel v2.0.27.
>
> Thanks,
>
> --
> Mark Mabry
> mabry@crimson.mv.com
>
> PGP public key on web page
>
> ------------------------------------------------------------------------
>
> Part 1.2 Type: application/pgp-signature
--
Jens B. Jorgensen
jjorgens@bdsinc.com
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: