Eric Rosenquist rosenqui@strataware.com
(updated by Paul Mackerras)
+(updated by Al Longyear)
+(updated by Farrell Woods)
INTRODUCTION
BUILDING THE PPPD
MS-CHAP uses a combination of MD4 hashing and DES encryption for
-authentication. You'll need to get Eric Young's libdes library in
-order to use my MS-CHAP extensions. You can find it in:
+authentication. You may need to get Eric Young's libdes library in
+order to use my MS-CHAP extensions. A lot of UNIX systems already
+have DES encryption available via the crypt(3), encrypt(3) and
+setkey(3) interfaces. Some may (such as that on Digital UNIX)
+provide only the encryption mechanism and will not perform
+decryption. This is okay. We only need to encrypt to perform
+MS-CHAP authentication.
+
+If you have encrypt/setkey available, then hopefully you need only
+define these two things in your Makefile: -DUSE_CRYPT and -DCHAPMS.
+Skip the paragraphs below about obtaining and building libdes. Do
+the "make clean" and "make" as described below. Linux users
+should not need to modify their Makefiles. Instead,
+just do "make CHAPMS=1 USE_CRYPT=1".
+
+If you don't have encrypt and setkey, you will need Eric Young's
+libdes library. You can find it in:
ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au/DES/libdes-3.06.tar.gz
also. Get the library, build and test it on your system, and install
it somewhere (typically /usr/local/lib and /usr/local/include).
+
+
You should now be ready to (re)compile the PPPD. Go to the pppd
subdirectory and make sure the Makefile contains "-DCHAPMS" in the
CFLAGS or COMPILE_FLAGS macro, and that the LIBS macro (or LDADD for
don't send their system name in the CHAP challenge packet.
+E=691 (AUTHENTICATION_FAILURE) ERRORS WHEN YOU HAVE THE VALID SECRET (PASSWORD)
+
+If your RAS server is not the domain controller and is not a 'stand-alone'
+server then it must make a query to the domain controller for your domain.
+
+You need to specify the domain name with the user name when you attempt to
+use this type of a configuration. The domain name is specified with the
+local name in the chap-secrets file and with the option for the 'name'
+parameter.
+
+For example, the previous example would become:
+
+ DialupNT domain\\customer47 foobar
+ domain\\customer47 DialupNT foobar
+
+and
+
+ pppd name 'domain\\customer47' remotename DialupNT <other options>
+
+or add:
+
+ name domain\\customer47
+ remotename DialupNT
+
+when the Windows NT domain name is simply called 'domain'.
+
+
TROUBLESHOOTING
Assuming that everything else has been configured correctly for PPP and
(system byte ordering may be a problem) or my code is screwing up. I've
only got access to a Linux system, so you're on your own for anything else.
+Another thing that might cause problems is that some RAS servers won't
+respond at all to LCP config requests without seeing the word "CLIENT"
+from the other end. If you see pppd sending out LCP config requests
+without getting any reply, try putting something in your chat script
+to send the word CLIENT after the modem has connected.
+
If everything compiles cleanly, but fails at authentication time, then
it might be a case of the MD4 or DES code screwing up. The following
small program can be used to test the MS-CHAP code to see if it
int main(argc, argv)
int argc;
- char *argv[0];
+ char *argv[];
{
u_char challenge[8];
int challengeInt[sizeof(challenge)];