Re: MS-MPPE-Enc/Types set by default in rlm_mschap?

Fri, 31 Jan 2003 08:06:44 -0800 

Dear John Horne,

Can you send FreeRADIUS logs for the session which was started with MPPE
but without MS-MPPE-Encryption-Policy/MS-MPPE-Encryption-Types?

--Friday, January 31, 2003, 3:03:46 PM, you wrote to [EMAIL PROTECTED]:

JH> Hello,

JH> I'm using freeradius 0.8.1 and pppd 2.4.b1 with the radius plugin, on a
JH> couple of vpn servers. The recent cvs version of pppd accepts mppe
JH> connections providing that the MS-MPPE-Recv or send key are seen. The
JH> MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types must also be seen.

JH> In my radiusd.conf file the mschap modules has:

JH>   modules {
JH>           mschap {
JH>                   authtype = MS-CHAP
JH>                   use_mppe = yes
JH>                   require_encryption = yes
JH>                   require_strong = yes
JH>           }

JH> As far as I can tell rom the freeradius code the 'require_encryption' will
JH> cause the MS-MPPE-Encryption-Policy key to be added to the radius reply with
JH> a value of 0x00000002, and the 'require_strong' will cause the
JH> MS-MPPE-Encryption-Types to be added with 0x00000004. In that respect I
JH> should not need to modify my 'users' file at all.

JH> However, this sometimes seems to work but not other times. Why not? I
JH> rebooted the vpn server, which runs radius locally. Trying to establish a
JH> vpn connection the Policy and Types keys are not added and so the connection
JH> fails. If I add to my default entry:

JH>   DEFAULT         Auth-Type := Local
JH>                   MS-MPPE-Encryption-Policy = 0x00000002,
JH>                   MS-MPPE-Encryption-Types = 0x00000004

JH> Restart radius and it works - even for the actual entries in the users file
JH> itself, not just the default entry. (The default entry causes a proxy to be
JH> used to go off to an MS IAS server for authentication instead.)


JH> So I am a bit confused about all this. Do I need to add the 2 key entries to
JH> all the users explicitly mentioned in the 'users' file or can I just add
JH> them to the DEFAULT entry and they will be added (automatically) to all the
JH> radius replies? Should I have to enter them at all considering the mschap
JH> module states to use strong encryption?


JH> Thanks,

JH> John.

JH> ------------------------------------------------------------------------
JH> John Horne, University of Plymouth, UK           Tel: +44 (0)1752 233914
JH> E-mail: [EMAIL PROTECTED]
JH> PGP key available from public key servers

JH> - 
JH> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Впрочем, важнее всего - алгоритм!  (Лем)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to