Hello,
I'm using freeradius 0.8.1 and pppd 2.4.b1 with the radius plugin, on a
couple of vpn servers. The recent cvs version of pppd accepts mppe
connections providing that the MS-MPPE-Recv or send key are seen. The
MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types must also be seen.
In my radiusd.conf file the mschap modules has:
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
As far as I can tell rom the freeradius code the 'require_encryption' will
cause the MS-MPPE-Encryption-Policy key to be added to the radius reply with
a value of 0x00000002, and the 'require_strong' will cause the
MS-MPPE-Encryption-Types to be added with 0x00000004. In that respect I
should not need to modify my 'users' file at all.
However, this sometimes seems to work but not other times. Why not? I
rebooted the vpn server, which runs radius locally. Trying to establish a
vpn connection the Policy and Types keys are not added and so the connection
fails. If I add to my default entry:
DEFAULT Auth-Type := Local
MS-MPPE-Encryption-Policy = 0x00000002,
MS-MPPE-Encryption-Types = 0x00000004
Restart radius and it works - even for the actual entries in the users file
itself, not just the default entry. (The default entry causes a proxy to be
used to go off to an MS IAS server for authentication instead.)
So I am a bit confused about all this. Do I need to add the 2 key entries to
all the users explicitly mentioned in the 'users' file or can I just add
them to the DEFAULT entry and they will be added (automatically) to all the
radius replies? Should I have to enter them at all considering the mschap
module states to use strong encryption?
Thanks,
John.
------------------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]
PGP key available from public key servers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
