Using PAP in Linux with domain auth.

Using PAP in Linux with domain auth.

Post by Michael Saunder » Sun, 10 Oct 1999 04:00:00



Hello,

I am trying to use my Linux box to log-in to the NT RAS at
work, and I'm having a little trouble.  

I have verified that the NT box is accepting PAP -- the
CHAP line does not appear in my pppd log, and the sysadmin
at work enabled PAP at my request.  I don't think that the
usual MSCHAP80 stuff is the problem.

I can use my Win98 machine to log-in just fine.  I fill-out
the username, password and domain (call it LOGIC for this
post):

mike
*******
LOGIC

and everything works fine (a long story, but it didn't used to).

Anyway, having gotten the Win to work, I wanted to now get my
Linux box working (it was working until some changes at work
broke the log-in process).

I took the existing (prior) PAP setup, changed the password to
the correct value, and tried an ifup ppp1 to the NT RAS.  The
server hung-up on me.

Hmmm... maybe I need to specify the LOGIC domain somehow to get
"authenticated."  Searching the web/news only turned-up how to
set-up CHAP with domains (such as LOGIC\\mike in the secrets file).

Well, I'm not needing CHAP, so I hacked the pap-secrets to use
LOGIC\\mike and the server still hung-up on me.

Here's the entry from my /var/log/messages:
Oct  4 23:20:44 kumba pppd[15093]: pppd 2.3.5 started by root, uid 0
Oct  4 23:20:44 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
115200
Oct  4 23:21:06 kumba pppd[15093]: Serial connection established.
Oct  4 23:21:07 kumba pppd[15093]: Using interface ppp0
Oct  4 23:21:07 kumba pppd[15093]: Connect: ppp0 <--> /dev/modem
Oct  4 23:21:10 kumba pppd[15093]: Remote message: E=691
Oct  4 23:21:10 kumba pppd[15093]: PAP authentication failed

Oct  4 23:21:11 kumba pppd[15093]: Modem hangup
Oct  4 23:21:11 kumba pppd[15093]: Connection terminated.
Oct  4 23:21:12 kumba pppd[15093]: Exit.

The E=691 is a "username/password not valid" error I believe.  I've
double checked the username and password, and they are correct.

Therefore, I need to know: can I use a domain log-in with PAP?
If so, how?  If not, can I trick CHAP into not doing bi-direct.
authentication?

Thanks!
Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Clifford Ki » Sun, 10 Oct 1999 04:00:00



> Oct  4 23:21:10 kumba pppd[15093]: Remote message: E=691
> Oct  4 23:21:10 kumba pppd[15093]: PAP authentication failed

> Oct  4 23:21:11 kumba pppd[15093]: Modem hangup
> Oct  4 23:21:11 kumba pppd[15093]: Connection terminated.
> Oct  4 23:21:12 kumba pppd[15093]: Exit.
> The E=691 is a "username/password not valid" error I believe.  I've
> double checked the username and password, and they are correct.
> Therefore, I need to know: can I use a domain log-in with PAP?
> If so, how?  If not, can I trick CHAP into not doing bi-direct.
> authentication?

You shouldn't need the NT Domain name for PAP.  Make a pap-secrets file
with a line like

YourNTusername          *       YourNTsecret

and use the pppd option  user <YourNTusername> .  Drop any remotename <name>
option.

If this doesn't help then you can add the pppd debug option and post
those log messages for opinions.

--

/* Those who can't write, write manuals. */

 
 
 

Using PAP in Linux with domain auth.

Post by Michael Saunder » Sun, 10 Oct 1999 04:00:00



: You shouldn't need the NT Domain name for PAP.  Make a pap-secrets file
: with a line like

: YourNTusername                *       YourNTsecret

: and use the pppd option  user <YourNTusername> .  Drop any remotename <name>
: option.

OK, I tried that, and I still get hung-up on.  Here's the files:

/etc/ppp/options:
lock
name mikesa

/etc/ppp/pap-secrets:
# Secrets for authentication using PAP
# client                server  secret                  IP addresses
mikesa                  ppp1    this_one
micsaund                ppp0    not_this

/var/log/messages:
Oct  9 21:46:16 kumba pppd[27588]: pppd 2.3.5 started by root, uid 0
Oct  9 21:46:17 kumba chat[27590]: abort on (BUSY)
Oct  9 21:46:17 kumba chat[27590]: abort on (ERROR)
Oct  9 21:46:17 kumba chat[27590]: abort on (NO CARRIER)
Oct  9 21:46:17 kumba chat[27590]: abort on (NO DIALTONE)
Oct  9 21:46:17 kumba chat[27590]: abort on (Invalid Login)
Oct  9 21:46:17 kumba chat[27590]: abort on (Login incorrect)
Oct  9 21:46:17 kumba chat[27590]: send (ATZ^M)
Oct  9 21:46:17 kumba chat[27590]: expect (OK)
Oct  9 21:46:17 kumba chat[27590]: ATZ^M^M
Oct  9 21:46:17 kumba chat[27590]: OK
Oct  9 21:46:17 kumba chat[27590]:  -- got it
Oct  9 21:46:17 kumba chat[27590]: send (ATDT5552460^M)
Oct  9 21:46:18 kumba chat[27590]: expect (CONNECT)
Oct  9 21:46:18 kumba chat[27590]: ^M
Oct  9 21:46:40 kumba chat[27590]: ATDT5552460^M^M
Oct  9 21:46:40 kumba chat[27590]: CONNECT
Oct  9 21:46:40 kumba chat[27590]:  -- got it
Oct  9 21:46:40 kumba chat[27590]: send (^M)
Oct  9 21:46:40 kumba pppd[27588]: Serial connection established.
Oct  9 21:46:41 kumba pppd[27588]: Using interface ppp0
Oct  9 21:46:41 kumba pppd[27588]: Connect: ppp0 <--> /dev/modem
Oct  9 21:46:44 kumba pppd[27588]: Remote message: E=691
Oct  9 21:46:44 kumba pppd[27588]: PAP authentication failed

Oct  9 21:46:45 kumba pppd[27588]: Modem hangup
Oct  9 21:46:45 kumba pppd[27588]: Connection terminated.
Oct  9 21:46:46 kumba pppd[27588]: Exit.

This is coming from a RH5.2 setup.  To activate the interface, I'm
using "ifup ppp1" (which, for some reason, always shows-up as ppp0,
but ppp0 is the interface I'm using to send this, so it works fine).

I don't know how to enable additional pppd debugging (if it's
available) since I'm using "ifup ppp1" which is a wrapper for
something more complex from RH5.2.  If there's something I can
do to cause more debugging info to appear, please let me know.

Thanks,
Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Michael Saunder » Sun, 10 Oct 1999 04:00:00


: You are also not turning on debug for pppd.
: Put
: debug
: into /etc/ppp/options
: and turn it on by putting the line
: daemon.*              /var/log/messages
: into /etc/syslog.conf and doing killall -1 syslogd
: then try logging on and see what the messaes say.See if they ask for
: chap.

Done... Now, I have more info in the log file (see below).  It
looks like my Linux box is requesting PAP authentication, but I
can't tell if it's being accepted or not...

: ]Anyway, having gotten the Win to work, I wanted to now get my
: ]Linux box working (it was working until some changes at work
: ]broke the log-in process).

: Ah,yes. Maybe they could tell you what they changed? Or do they not
: know.

They do not "offically" support anything but Winbloze, so me getting
Linux working is like pulling teeth.  I'm actually surprised that
they enabled PAP for me (supposedly).  Getting any kind of detailed
info from the Winbloze * is tough... all they can tell me is
that they "clicked on something" for me.  I don't know NT well
enough to know what they've done or how the "domains" are configured.

: it is sometimes LOGIC/mike, sometimes LOGIX\\mike (I would put it in a
: pair of single quotes due to the \-- 'LOGIC\\mike' Also make sure taht
: you use the
: user 'LOGIC\\mike'
: or
: user 'LOGIC/mike'
: option for pppd.

Tried it both ways, all with single quotes and no luck.

Here's an updated output from the /var/log/messages (don't know why
everything is appearing in doubles, but you get the idea):

Oct  9 23:39:05 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
115200
Oct  9 23:39:05 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
115200
Oct  9 23:39:06 kumba chat[28183]: abort on (BUSY)
Oct  9 23:39:06 kumba chat[28183]: abort on (ERROR)
Oct  9 23:39:06 kumba chat[28183]: abort on (NO CARRIER)
Oct  9 23:39:06 kumba chat[28183]: abort on (NO DIALTONE)
Oct  9 23:39:06 kumba chat[28183]: abort on (Invalid Login)
Oct  9 23:39:06 kumba chat[28183]: abort on (Login incorrect)
Oct  9 23:39:06 kumba chat[28183]: send (ATZ^M)
Oct  9 23:39:06 kumba chat[28183]: expect (OK)
Oct  9 23:39:06 kumba chat[28183]: ATZ^M^M
Oct  9 23:39:06 kumba chat[28183]: OK
Oct  9 23:39:06 kumba chat[28183]:  -- got it
Oct  9 23:39:06 kumba chat[28183]: send (ATDT5552460^M)
Oct  9 23:39:06 kumba chat[28183]: expect (CONNECT)
Oct  9 23:39:06 kumba chat[28183]: ^M
Oct  9 23:39:25 kumba chat[28183]: ATDT5552460^M^M
Oct  9 23:39:25 kumba chat[28183]: CONNECT
Oct  9 23:39:25 kumba chat[28183]:  -- got it
Oct  9 23:39:25 kumba chat[28183]: send (^M)
Oct  9 23:39:25 kumba pppd[28181]: Serial connection established.
Oct  9 23:39:25 kumba pppd[28181]: Serial connection established.
Oct  9 23:39:26 kumba pppd[28181]: Using interface ppp0
Oct  9 23:39:26 kumba pppd[28181]: Using interface ppp0
Oct  9 23:39:26 kumba pppd[28181]: Connect: ppp0 <--> /dev/modem
Oct  9 23:39:26 kumba pppd[28181]: Connect: ppp0 <--> /dev/modem
Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfReq id=0x1 <magic
0x62671aab> <pcomp> <accomp>]
Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfReq id=0x0 <asyncmap 0x0>
<auth chap 80> <magic 0x75da> <pcomp> <accomp>]
Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfNak id=0x0 <auth pap>]
Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfAck id=0x1 <magic
0x62671aab> <pcomp> <accomp>]
Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth pap> <magic 0x75da> <pcomp> <accomp>]
Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfAck id=0x1 <asyncmap 0x0>
<auth pap> <magic 0x75da> <pcomp> <accomp>]
Oct  9 23:39:26 kumba pppd[28181]: sent [PAP AuthReq id=0x1 user="mikesa"
password="change"]
Oct  9 23:39:29 kumba pppd[28181]: sent [PAP AuthReq id=0x2 user="mikesa"
password="change"]
Oct  9 23:39:29 kumba pppd[28181]: rcvd [PAP AuthNak id=0x1 "E=691"]
Oct  9 23:39:29 kumba pppd[28181]: Remote message: E=691
Oct  9 23:39:29 kumba pppd[28181]: Remote message: E=691
Oct  9 23:39:29 kumba pppd[28181]: PAP authentication failed
Oct  9 23:39:29 kumba pppd[28181]: PAP authentication failed
Oct  9 23:39:29 kumba pppd[28181]: rcvd [LCP TermReq id=0x2 00 00 02 b3]


Oct  9 23:39:29 kumba pppd[28181]: sent [LCP TermAck id=0x2]
Oct  9 23:39:30 kumba pppd[28181]: Modem hangup
Oct  9 23:39:30 kumba pppd[28181]: Modem hangup
Oct  9 23:39:30 kumba pppd[28181]: Connection terminated.
Oct  9 23:39:30 kumba pppd[28181]: Connection terminated.
Oct  9 23:39:31 kumba pppd[28181]: Exit.
Oct  9 23:39:31 kumba pppd[28181]: Exit.

Same results -- the RAS server just keeps*-up on me.  Like
before, the win98 login process works find with the same username
and password.  That's why this is so frustrating.  Unfortunately,
the only guy at work who's a sysadmin who's into Linux uses a Win98
laptop to dial into work, because he has DSL at home and cannot
connect through the work firewall via the internet (modem connections
only are allowed).

Thanks,
Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Bill Unr » Mon, 11 Oct 1999 04:00:00



]Hello,

]I am trying to use my Linux box to log-in to the NT RAS at
]work, and I'm having a little trouble.  

]I have verified that the NT box is accepting PAP -- the
]CHAP line does not appear in my pppd log, and the sysadmin
]at work enabled PAP at my request.  I don't think that the
]usual MSCHAP80 stuff is the problem.

You are also not turning on debug for pppd.
Put
debug
into /etc/ppp/options
and turn it on by putting the line
daemon.*                /var/log/messages
into /etc/syslog.conf and doing killall -1 syslogd
then try logging on and see what the messaes say.See if they ask for
chap.

]I can use my Win98 machine to log-in just fine.  I fill-out
]the username, password and domain (call it LOGIC for this
]post):

]mike
]*******
]LOGIC

]and everything works fine (a long story, but it didn't used to).

]Anyway, having gotten the Win to work, I wanted to now get my
]Linux box working (it was working until some changes at work
]broke the log-in process).

Ah,yes. Maybe they could tell you what they changed? Or do they not
know.

]I took the existing (prior) PAP setup, changed the password to
]the correct value, and tried an ifup ppp1 to the NT RAS.  The
]server hung-up on me.

]Hmmm... maybe I need to specify the LOGIC domain somehow to get
]"authenticated."  Searching the web/news only turned-up how to
]set-up CHAP with domains (such as LOGIC\\mike in the secrets file).

]Well, I'm not needing CHAP, so I hacked the pap-secrets to use
]LOGIC\\mike and the server still hung-up on me.

it is sometimes LOGIC/mike, sometimes LOGIX\\mike (I would put it in a
pair of single quotes due to the \-- 'LOGIC\\mike' Also make sure taht
you use the
user 'LOGIC\\mike'
or
user 'LOGIC/mike'
option for pppd.

]Here's the entry from my /var/log/messages:
]Oct  4 23:20:44 kumba pppd[15093]: pppd 2.3.5 started by root, uid 0
]Oct  4 23:20:44 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
]115200
]Oct  4 23:21:06 kumba pppd[15093]: Serial connection established.
]Oct  4 23:21:07 kumba pppd[15093]: Using interface ppp0
]Oct  4 23:21:07 kumba pppd[15093]: Connect: ppp0 <--> /dev/modem
]Oct  4 23:21:10 kumba pppd[15093]: Remote message: E=691
]Oct  4 23:21:10 kumba pppd[15093]: PAP authentication failed

]Oct  4 23:21:11 kumba pppd[15093]: Modem hangup
]Oct  4 23:21:11 kumba pppd[15093]: Connection terminated.
]Oct  4 23:21:12 kumba pppd[15093]: Exit.

]The E=691 is a "username/password not valid" error I believe.  I've
]double checked the username and password, and they are correct.

]Therefore, I need to know: can I use a domain log-in with PAP?
]If so, how?  If not, can I trick CHAP into not doing bi-direct.
]authentication?

 
 
 

Using PAP in Linux with domain auth.

Post by Bill Unr » Mon, 11 Oct 1999 04:00:00



]# Secrets for authentication using PAP
]# client                server  secret                  IP addresses
]mikesa                  ppp1    this_one
                      ^^^^^^^ Get rid of these and replace with a *.
ppp1 is almost certainly NOT the name of your remote server. And pap
will look for the server name and not find it.
mikesa                 *    this_one

]micsaund               ppp0    not_this
Same here.

You need to switch on ppp debugin.
debug
in /etc/ppp/options
daemon.*                /var/log/messages
in /etc/syslog.conf
killall -1 syslogd

and it is switched on.

]Oct  9 21:46:44 kumba pppd[27588]: PAP authentication failed

]Oct  9 21:46:45 kumba pppd[27588]: Modem hangup
]Oct  9 21:46:45 kumba pppd[27588]: Connection terminated.
]Oct  9 21:46:46 kumba pppd[27588]: Exit.

]This is coming from a RH5.2 setup.  To activate the interface, I'm
]using "ifup ppp1" (which, for some reason, always shows-up as ppp0,
]but ppp0 is the interface I'm using to send this, so it works fine).

You cannot tell ppp which interface to bring up. It numbers on its own.
The first one up is ppp0, the next one up is ppp1 etc.

Much better for you to write your own script to bring up the two
interfaces (are they or ae these just tow different ISPs that you want
to call?-- do you really have two seperate modems attached to your
machine?)

]I don't know how to enable additional pppd debugging (if it's
]available) since I'm using "ifup ppp1" which is a wrapper for
]something more complex from RH5.2.  If there's something I can
]do to cause more debugging info to appear, please let me know.
See above

 
 
 

Using PAP in Linux with domain auth.

Post by Bill Unr » Mon, 11 Oct 1999 04:00:00



]: Ah,yes. Maybe they could tell you what they changed? Or do they not
]: know.

]They do not "offically" support anything but Winbloze, so me getting
]Linux working is like pulling teeth.  I'm actually surprised that
]they enabled PAP for me (supposedly).  Getting any kind of detailed
]info from the Winbloze * is tough... all they can tell me is
]that they "clicked on something" for me.  I don't know NT well
]enough to know what they've done or how the "domains" are configured.

Scary isn;t it. And you trust these guys to keep your stuff confidential
and to impliment security properly?

...
]Here's an updated output from the /var/log/messages (don't know why
]everything is appearing in doubles, but you get the idea):

You have two entries-- probably for local2. in syslogd.

]Oct  9 23:39:05 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
]115200
]Oct  9 23:39:05 kumba ifup-ppp: pppd started for ppp1 on /dev/modem at
]115200
]Oct  9 23:39:06 kumba chat[28183]: abort on (BUSY)
]Oct  9 23:39:06 kumba chat[28183]: abort on (ERROR)
]Oct  9 23:39:06 kumba chat[28183]: abort on (NO CARRIER)
]Oct  9 23:39:06 kumba chat[28183]: abort on (NO DIALTONE)
]Oct  9 23:39:06 kumba chat[28183]: abort on (Invalid Login)
]Oct  9 23:39:06 kumba chat[28183]: abort on (Login incorrect)
]Oct  9 23:39:06 kumba chat[28183]: send (ATZ^M)
]Oct  9 23:39:06 kumba chat[28183]: expect (OK)
]Oct  9 23:39:06 kumba chat[28183]: ATZ^M^M
]Oct  9 23:39:06 kumba chat[28183]: OK
]Oct  9 23:39:06 kumba chat[28183]:  -- got it
]Oct  9 23:39:06 kumba chat[28183]: send (ATDT5552460^M)
]Oct  9 23:39:06 kumba chat[28183]: expect (CONNECT)
]Oct  9 23:39:06 kumba chat[28183]: ^M
]Oct  9 23:39:25 kumba chat[28183]: ATDT5552460^M^M
]Oct  9 23:39:25 kumba chat[28183]: CONNECT
]Oct  9 23:39:25 kumba chat[28183]:  -- got it
]Oct  9 23:39:25 kumba chat[28183]: send (^M)
]Oct  9 23:39:25 kumba pppd[28181]: Serial connection established.
]Oct  9 23:39:25 kumba pppd[28181]: Serial connection established.
]Oct  9 23:39:26 kumba pppd[28181]: Using interface ppp0
]Oct  9 23:39:26 kumba pppd[28181]: Using interface ppp0
]Oct  9 23:39:26 kumba pppd[28181]: Connect: ppp0 <--> /dev/modem
]Oct  9 23:39:26 kumba pppd[28181]: Connect: ppp0 <--> /dev/modem
]Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfReq id=0x1 <magic
]0x62671aab> <pcomp> <accomp>]
]Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfReq id=0x0 <asyncmap 0x0>
]<auth chap 80> <magic 0x75da> <pcomp> <accomp>]

They DO offer chap 80. All versions of pppd since at least 2.3.3 in
distributions support chap 80.
Just fill in your chap-secrets file (getting rid of those ppp0 and ppp1
remote name requirements.)

]Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfNak id=0x0 <auth pap>]

You suggest that if they hae it, please use pap.

]Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfAck id=0x1 <magic
]0x62671aab> <pcomp> <accomp>]
]Oct  9 23:39:26 kumba pppd[28181]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0>
]<auth pap> <magic 0x75da> <pcomp> <accomp>]

They say OK, we'll ask for pap

]Oct  9 23:39:26 kumba pppd[28181]: sent [LCP ConfAck id=0x1 <asyncmap 0x0>
]<auth pap> <magic 0x75da> <pcomp> <accomp>]
You say, great, I can do pap.

]Oct  9 23:39:26 kumba pppd[28181]: sent [PAP AuthReq id=0x1 user="mikesa"
]password="change"]

You say here are my password and username

]Oct  9 23:39:29 kumba pppd[28181]: sent [PAP AuthReq id=0x2 user="mikesa"
]password="change"]

After 3 seconds you send them again.

]Oct  9 23:39:29 kumba pppd[28181]: rcvd [PAP AuthNak id=0x1 "E=691"]

They say Sorry, no go.

So you are definitely sending the wrong username and or password.

Or they could be set up badly at the other end.

Suggestions. Move to chap. Fill in chap-secrets rather than pap-secrets
for that username and try again.

And then try te various combinations of domain name. Make sure that you
get the domain name right as well (eg with respect to capiltals.)

 
 
 

Using PAP in Linux with domain auth.

Post by Michael Saunder » Mon, 11 Oct 1999 04:00:00


: They DO offer chap 80. All versions of pppd since at least 2.3.3 in
: distributions support chap 80.
: Just fill in your chap-secrets file (getting rid of those ppp0 and ppp1
: remote name requirements.)

I had considered just using CHAP, but I don't know exactly what
to put in the secrets file.  Looking at the PPPD-HOWTO, it looks
like I need to specify a password for the server to challenge
as well as the other way around.  The question is, how does the
server know what password to request from my machine?

Obviously, this can be done (as I have done it in Win98), but
basically, from my viewpoint, all I know is a username and
password pair.  I don't know anything about the servernames
or their passwords...

: ]Oct  9 23:39:26 kumba pppd[28181]: sent [PAP AuthReq id=0x1 user="mikesa"
: ]password="change"]

: You say here are my password and username

: ]Oct  9 23:39:29 kumba pppd[28181]: sent [PAP AuthReq id=0x2 user="mikesa"
: ]password="change"]

: After 3 seconds you send them again.

: ]Oct  9 23:39:29 kumba pppd[28181]: rcvd [PAP AuthNak id=0x1 "E=691"]

: They say Sorry, no go.

: So you are definitely sending the wrong username and or password.

The username and password from the /var/log/messages file is
the correct pair.  I'm getting more suspicious of haveing to
"log into a NT domain" (LOGIC) to get authenticated.  Basically,
last month, they changed all the NT stuff at work over to the
LOGIC domain, and that's when my previously working PAP set-up
got blown out.

: Suggestions. Move to chap. Fill in chap-secrets rather than pap-secrets
: for that username and try again.

OK, so I'd put something like:

LOGIC\\mikesa   *               myuserpassword
*               LOGIC\\mikesa   <what goes here?>

Am I totally mixed-up on this CHAP-SECRETS file?  Whenever I
try to use it, the RAS server hangs-up on me, and nothing but
some "magic" numbers appear in the /var/log/messages...

I also have a personal ISP that uses PAP to log-in, so I need
to keep that functionality in place, too.

Thanks,
Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Michael Saunder » Mon, 11 Oct 1999 04:00:00



Well, Bill, now it seems like we're getting somewhere.  I'm still not loggin-in
successfully, but things are going a little different...

I edited my chap-secrets file for single-ended auth., as you pointed out (did I
just miss that in the HOWTO, or is it really missing, or is it simply assumed
and I'm an idiot?)  So far, I've tried several versions of the chap-secrets, with
2 different results.

First, my /etc/ppp/options file (same for all tests):
----------------------------------------------------------------------
lock
debug
----------------------------------------------------------------------

Now, my chap-secrets for TEST #1:
------------------------------------------------------------------------
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
mikesa          *       change
-----------------------------------------------------------------------

This yields the following /etc/log/messages:
-----------------------------------------------------------------------
Oct 10 22:57:36 kumba pppd[32405]: Serial connection established.
Oct 10 22:57:37 kumba pppd[32405]: Using interface ppp0
Oct 10 22:57:37 kumba pppd[32405]: Connect: ppp0 <--> /dev/modem
Oct 10 22:57:37 kumba pppd[32405]: sent [LCP ConfReq id=0x1 <magic 0x2c43db17> <pcomp> <accomp>]
Oct 10 22:57:37 kumba pppd[32405]: sent [LCP ConfAck id=0x0 <asyncmap 0x0> <auth chap 80> <magic 0x20de> <pcomp> <accomp>]
Oct 10 22:57:37 kumba pppd[32405]: rcvd [LCP ConfAck id=0x1 <magic 0x2c43db17> <pcomp> <accomp>]
Oct 10 22:57:37 kumba pppd[32405]: rcvd [CHAP Challenge id=0xa5 <771df76516e98aca>, name = ""]
Oct 10 22:57:37 kumba pppd[32405]: sent [CHAP Response id=0xa5
<00000000000000000000000000000000000000000000000063610a0a99134fd3bbe2
ad82260ed3659724e2819b690ff401>, name = "mikesa"]
Oct 10 22:57:41 kumba pppd[32405]: rcvd [CHAP Failure id=0xa5 "E=691 R=1 "]
Oct 10 22:57:41 kumba pppd[32405]: Remote message: E=691 R=1
Oct 10 22:57:41 kumba pppd[32405]: CHAP authentication failed
Oct 10 22:57:42 kumba pppd[32405]: rcvd [CHAP Failure id=0xa5 "E=691 R=1 "]
Oct 10 22:57:42 kumba pppd[32405]: Remote message: E=691 R=1
Oct 10 22:57:42 kumba pppd[32405]: CHAP authentication failed
Oct 10 22:57:44 kumba pppd[32405]: rcvd [CHAP Failure id=0xa5 "E=691 R=1 "]
-----------------------------------------------------------------------
and the last lines just keep repeating until I kill the connection.

For TEST #2, I tried supplying a Domain with my username.

/etc/ppp/chap-secrets:
----------------------------------------------------------------------
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
'LOGIC\\mikesa'          *       change
----------------------------------------------------------------------

which yielded /var/log/messages:
---------------------------------------------------------------------
Oct 10 22:56:44 kumba pppd[32371]: Serial connection established.
Oct 10 22:56:45 kumba pppd[32371]: Using interface ppp0
Oct 10 22:56:45 kumba pppd[32371]: Connect: ppp0 <--> /dev/modem
Oct 10 22:56:45 kumba pppd[32371]: sent [LCP ConfReq id=0x1 <magic 0x96c52e63> <pcomp> <accomp>]
Oct 10 22:56:46 kumba pppd[32371]: rcvd [LCP ConfReq id=0x0 <asyncmap 0x0> <auth chap 80> <magic 0xd0e> <pcomp> <accomp>]
Oct 10 22:56:46 kumba pppd[32371]: sent [LCP ConfRej id=0x0 <auth chap 80>]
Oct 10 22:56:46 kumba pppd[32371]: rcvd [LCP ConfAck id=0x1 <magic 0x96c52e63> <pcomp> <accomp>]
Oct 10 22:56:46 kumba pppd[32371]: rcvd [LCP TermReq id=0x1 00 00 02 dc]
Oct 10 22:56:46 kumba pppd[32371]: sent [LCP TermAck id=0x1]
Oct 10 22:56:46 kumba pppd[32371]: Modem hangup
Oct 10 22:56:46 kumba pppd[32371]: Connection terminated.
Oct 10 22:56:48 kumba pppd[32371]: Exit.
-------------------------------------------------------------------

Much less going-on with the domain name in the chap-secrets file.  

So, I try this in /etc/ppp/chap-secrets for TEST #3:
------------------------------------------------------------------
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
LOGIC/mikesa          *       change

and get the same messages entries as TEST #2 above.

I tried capitalizing my username (same results as #2), capitalizing the
password, pretty much everything I can do with the chap-secrets
combinations.  I'm sure the username/password is correct -- to double
check, I dialed-in with my Win98 box and entered mikesa/change and it
all worked.

Man, what a pain in the ass... Once I get this (supposed to be) simple
problem overcome, I'll owe you a couple of beers if you're ever in my
part of town!!!!!

Thanks!
Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Michael Saunder » Mon, 11 Oct 1999 04:00:00




: Well, Bill, now it seems like we're getting somewhere.  I'm still not loggin-in
: successfully, but things are going a little different...

I got to thinking (uh oh!)... the PPP-HOWTO makes a *very* brief mention of
some kind of password encryption that they can enable on the NT end.

Do you suppose that could be my problem -- why the E=691 "username/password
not valid" errors are prevalent?

I searched the man page for pppd and also the PPP-HOWTO, and neither says
anything about enabling the NT compatible encryption on the client end.
Maybe this happens automatically... I don't know, but it is ooking pretty
suspicious!

Mike

 
 
 

Using PAP in Linux with domain auth.

Post by Bill Unr » Tue, 12 Oct 1999 04:00:00



]I had considered just using CHAP, but I don't know exactly what
]to put in the secrets file.  Looking at the PPPD-HOWTO, it looks
]like I need to specify a password for the server to challenge
]as well as the other way around.  The question is, how does the
]server know what password to request from my machine?

No. Those HOWTOs assume taht you want symmetric authentication, which
no ISP will do. It is just athe same as the pap file
username * password *

That is it. If you need the username to have a domain use
domain/username * password *
or
'domain\\username' * password *

]Obviously, this can be done (as I have done it in Win98), but
]basically, from my viewpoint, all I know is a username and
]password pair.  I don't know anything about the servernames
]or their passwords...
Not needed.

 
 
 

Using PAP in Linux with domain auth.

Post by Brett Rus » Wed, 20 Oct 1999 04:00:00


Mike,

See the PPP FAQ at
http://metalab.unc.edu/mdw/FAQ/PPP-FAQ.html
especially section 12.2.

It looks like your problem may be that your pap-secrets username and the 'user' or 'name'
option in your options file must match exactly.  And they should both have LOGIC\\ in front of
it.  In your options file you'd have:
user "LOGIC\\mikesa"

and in pap-secrets you'd have:
# Secrets for authentication using PAP
# client                server  secret                  IP addresses
LOCIG\\mikesa   *          this_one
#micsaund                ppp0    not_this

Also try commenting out the second line in you pap-secrets file (the one for micsaund) and get
it to work with just one first.  And when you are using just one entry, you should set the
servername to '*'.  Section 13.5 in the PPP HOWTO has info on how to use 2 entries.  Basically
you'd need to add 'remotename ppp0' or 'remotename ppp1' to choose which account to use.

Hope this helps,
BR

 
 
 

1. PPP with PAP auth. *question*

Hiya!

I have been trying to set up ppp for my linux, but without luck, hope one of
you gurus can show me the light? ;)

I had an account where I would get login/password prompts, and I had that
working just fine, but now I changed to another internet provider, so I
don't get any promps, I (guess?) I have to put my userid and password
somewhere in the pppd string (or somewhere else?).

If someone could email me thier config files, or just give me a clue, I
would appriciate it alot!

btw: I will try to check this newsgroup, but it will make it alot easier if
you can reply via email *thanks*

--
                                  ___/^\___
                                 /  (o o)  \
                              ==ooO==( )==Ooo==
                              Yours in Darkness
                              LASSE CEDERSTROEM
                              =================

2. Urgent, need help about apache RedirectRule

3. ppp pap auth failing

4. Anybody know/solve these two WinBook XP laptop problems?...

5. PPP Server failed (shadow)passwd auth. pap secrets works

6. Updated AC3200 driver?

7. Account on user with pap auth

8. Laptop Setup Questions: CDROM & PCMCIA

9. pap auth with user ppp HELP PLEASE!

10. pppd PAP auth fail (help)

11. PAP/CHAP auth. instead of normal login

12. Using PAP under Linux

13. Help needed setting up Win95 client to Linux server using pap