This document explains how a Linux client can establish PPP over Ethernet (PPPoE) connection using MS-CHAP authentication. Sometimes a PPPoE server (possibly running Windows NT or 2000 server) does accept only MS-CHAP authentication, and does not accept other authentication methods such as PAP and CHAP for security reasons.
On Debian GNU/Linux 3.0 (woody), pppd with MS-CHAP patch (pppd-2.4.1.uus-4) is installed, but it didn't work with the PPPoE server as far as I had tested.
Feb 2 21:24:21 localhost pppd[789]: pppd 2.4.1 started by root, uid 0
Feb 2 21:24:21 localhost pppd[789]: Serial connection established.
Feb 2 21:24:21 localhost pppd[789]: using channel 26
Feb 2 21:24:21 localhost pppd[789]: Using interface ppp0
Feb 2 21:24:21 localhost pppoe[790]: PADS: Service-Name: ''
Feb 2 21:24:21 localhost pppoe[790]: PPP session is 3
Feb 2 21:24:21 localhost pppd[789]: Connect: ppp0 <--> /dev/pts/2
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfReq id=0x1 <auth 0xc227> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x88d74619> <pcomp> <accomp>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfNak id=0x1 <auth chap MD5>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfReq id=0x2 <magic 0x88d74619>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfReq id=0x2 <auth chap MD5> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfAck id=0x2 <auth chap MD5> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfAck id=0x2 <magic 0x88d74619>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP EchoReq id=0x0 magic=0x88d74619]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP EchoReq id=0x0 magic=0xe0f12d4a]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP EchoRep id=0x0 magic=0x88d74619]
Feb 2 21:24:21 localhost pppd[789]: rcvd [CHAP Challenge id=0xaa <dbb9b0fda9d8172e165ad6bee7f0aa59>, name = "server"]
Feb 2 21:24:21 localhost pppd[789]: No CHAP secret found for authenticating us to server
Feb 2 21:24:21 localhost pppd[789]: sent [CHAP Response id=0xaa <57bd3a5dc2a6ab287efe4d1ff3f437ff>, name = "username"]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP EchoRep id=0x0 magic=0xe0f12d4a]
Feb 2 21:24:24 localhost pppd[789]: sent [CHAP Response id=0xaa <57bd3a5dc2a6ab287efe4d1ff3f437ff>, name = "username"]
Feb 2 21:24:25 localhost pppd[789]: rcvd [CHAP Failure id=0xaa "\37777777604\37777777631\004\010\37777777700\37777777772\37777777777\37777777677"]
Feb 2 21:24:25 localhost pppd[789]: Remote message: M-^DM-^Y^D^HM-@M-zM-^?M-?
Feb 2 21:24:25 localhost pppd[789]: CHAP authentication failed
Feb 2 21:24:25 localhost pppd[789]: sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"]
Feb 2 21:24:25 localhost pppd[789]: rcvd [LCP TermReq id=0x3 "Authentication failed"]
Feb 2 21:24:25 localhost pppd[789]: sent [LCP TermAck id=0x3]
Feb 2 21:24:25 localhost pppd[789]: rcvd [LCP TermAck id=0x3]
Feb 2 21:24:25 localhost pppd[789]: Connection terminated.The reason was a mismatch of the authentication method. The PPPoE client first proposes CHAP MD5 as an authentication method. The PPPoE server then agrees using CHAP MD5 even though the PPPoE server does accept only MS-CHAP! A simple workaround for this problem is to modify pppd for using MS-CHAP by default.
Feb 3 01:03:19 localhost pppd[6041]: pppd 2.4.1 started by root, uid 0
Feb 3 01:03:19 localhost pppd[6041]: Serial connection established.
Feb 3 01:03:19 localhost pppd[6041]: using channel 112
Feb 3 01:03:19 localhost pppd[6041]: Using interface ppp0
Feb 3 01:03:19 localhost pppd[6041]: Connect: ppp0 <--> /dev/pts/3
Feb 3 01:03:19 localhost pppoe[6042]: PADS: Service-Name: ''
Feb 3 01:03:19 localhost pppoe[6042]: PPP session is 96
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfReq id=0x1 <auth 0xc227> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7530bdc8> <pcomp> <accomp>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfNak id=0x1 <auth chap m$oft>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfReq id=0x2 <magic 0x7530bdc8>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfReq id=0x2 <auth chap m$oft> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfAck id=0x2 <auth chap m$oft> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfAck id=0x2 <magic 0x7530bdc8>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP EchoReq id=0x0 magic=0x7530bdc8]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP EchoReq id=0x0 magic=0x6b400f1]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP EchoRep id=0x0 magic=0x7530bdc8]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CHAP Challenge id=0xb8 <f347890f0c1e0781>, name = "server"]
Feb 3 01:03:19 localhost pppd[6041]: sent [CHAP Response id=0xb8 <000000000000000000000000000000000000000000000000cb2e4b575e0c7931ce7aa2cb99020624b9a189d65cdb200001>, name = "username"]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP EchoRep id=0x0 magic=0x6b400f1]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CHAP Success id=0xb8 "\37777777604\37777777631\004\010\37777777700\37777777772\37777777777\37777777677"]
Feb 3 01:03:19 localhost pppd[6041]: Remote message: M-^DM-^Y^D^HM-@M-zM-^?M-?
Feb 3 01:03:19 localhost pppd[6041]: kernel does not support PPP filtering
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <compress VJ 0f 01>]
Feb 3 01:03:19 localhost kernel: PPP BSD Compression module registered
Feb 3 01:03:19 localhost kernel: PPP Deflate Compression module registered
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfReq id=0x1 <addr 172.31.192.2>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfAck id=0x1 <addr 172.31.192.2>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfReq id=0x1]
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfAck id=0x1]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfReq id=0x2]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfNak id=0x2 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x3 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfAck id=0x2]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfAck id=0x3 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: Cannot determine ethernet address for proxy ARP
Feb 3 01:03:19 localhost pppd[6041]: local IP address 172.31.192.105
Feb 3 01:03:19 localhost pppd[6041]: remote IP address 172.31.192.2
Feb 3 01:03:19 localhost pppd[6041]: Script /etc/ppp/ip-up started (pid 6047)
Feb 3 01:03:20 localhost pppd[6041]: Script /etc/ppp/ip-up finished (pid 6047), status = 0x1
Feb 3 01:03:39 localhost pppd[6041]: sent [LCP EchoReq id=0x1 magic=0x7530bdc8]
Feb 3 01:03:39 localhost pppd[6041]: rcvd [LCP EchoRep id=0x1 magic=0x6b400f1]
Feb 3 01:03:59 localhost pppd[6041]: rcvd [LCP EchoReq id=0x1 magic=0x6b400f1]The detailed procedure is explained as follows.
1. Edit /etc/ppp/chap-secrets to have valid username and password.
username server password
server username password2. Edit /etc/ppp/peer/dsl-provider to have valid username and remotename.
An example of /etc/ppp/peer/dsl-provider is shown below.
# Configuration file for PPP, using PPP over Ethernet
# to connect to a DSL provider.
#
# See the manual page pppd(8) for information on all the options.
##
# Section 1
#
# Stuff to configure...
# MUST CHANGE: Uncomment the following line, replacing the user@provider.net
# by the DSL user name given to your by your DSL provider.
# (There should be a matching entry in /etc/ppp/pap-secrets with the password.)
user username
# Use the pppoe program to send the ppp packets over the Ethernet link
# This line should work fine if this computer is the only one accessing
# the Internet through this DSL connection. This is the right line to use
# for most people.
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"
# If the computer connected to the Internet using pppoe is not being used
# by other computers as a gateway to the Internet, you can try the following
# line instead, for a small gain in speed:
#pty "/usr/sbin/pppoe -I eth0 -T 80"
# An even more conservative version of the previous line, if things
# don't work using -m 1452...
#pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1412"
# The following two options should work fine for most DSL users.
# Assumes that your IP address is allocated dynamically
# by your DSL provider...
noipdefault
# Comment out if you already have the correct default route installed
defaultroute
##
# Section 2
#
# Uncomment if your DSL provider charges by minute connected
# and you want to use demand-dialing.
#
# Disconnect after 300 seconds (5 minutes) of idle time.
#demand
#idle 300
##
# Section 3
#
# You shouldn't need to change these options...
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
noauth
persist
mtu 1492
remotename server3. Apply the following patch and recompile pppd-2.4.1.uus-4.
--- pppd/lcp.c.orig Thu Mar 8 14:11:14 2001
+++ pppd/lcp.c Thu Feb 3 01:39:40 2005
@@ -327,7 +327,7 @@
wo->neg_mru = 1;
wo->mru = DEFMRU;
wo->neg_asyncmap = 1;
- wo->chap_mdtype = CHAP_DIGEST_MD5;
+ wo->chap_mdtype = CHAP_MICROSOFT;
wo->neg_magicnumber = 1;
wo->neg_pcompression = 1;
wo->neg_accompression = 1;
@@ -337,7 +337,7 @@
ao->mru = MAXMRU;
ao->neg_asyncmap = 1;
ao->neg_chap = 1;
- ao->chap_mdtype = CHAP_DIGEST_MD5;
+ ao->chap_mdtype = CHAP_MICROSOFT;
ao->neg_upap = 1;
ao->neg_magicnumber = 1;
ao->neg_pcompression = 1;Hey! The above document had some coding errors, which are explained below:
You can't have =items (as at line 109) unless the first thing after the =over is an =item