Solved

CHAP rejection

Posted on 1997-11-14
5
446 Views
Last Modified: 2010-08-05
I ask any
knowledgeable person to help me in determining why is my Linux box
rejecting CHAP authentication from my employers server box. I have all
necessary files including chap-secrets.
Please note the different(?) ID for CHAP authentification in Win95 log
file below but not in Linux log.
My system:
RedHat 4.2
Kernel 2.0.3
PPP 2.2.0

Thank you
Jacek Nowak

1.PPPlog from Linux

Nov  9 20:34:07 localhost pppd[2066]: pppd 2.2.0 started by root, uid
0
Nov  9 20:34:09 localhost chat[2069]: timeout set to 10 seconds
Nov  9 20:34:09 localhost chat[2069]: abort on (ERROR)
Nov  9 20:34:09 localhost chat[2069]: abort on (BUSY)
Nov  9 20:34:09 localhost chat[2069]: abort on (NO CARRIER)
Nov  9 20:34:09 localhost chat[2069]: abort on (NO DIALTONE)
Nov  9 20:34:09 localhost chat[2069]: report (CARRIER)
Nov  9 20:34:09 localhost chat[2069]: report (CONNECT)
Nov  9 20:34:09 localhost chat[2069]: send (AT^M)
Nov  9 20:34:09 localhost chat[2069]: expect (OK)
Nov  9 20:34:09 localhost chat[2069]: AT^M^M
Nov  9 20:34:09 localhost chat[2069]: OK -- got it
Nov  9 20:34:09 localhost chat[2069]: send (AT&Fw2^M)
Nov  9 20:34:09 localhost chat[2069]: expect (OK)
Nov  9 20:34:09 localhost chat[2069]: ^M
Nov  9 20:34:09 localhost chat[2069]: AT&Fw2^M^M
Nov  9 20:34:09 localhost chat[2069]: OK -- got it
Nov  9 20:34:09 localhost chat[2069]: send (atdt<phone number>^M)
Nov  9 20:34:09 localhost chat[2069]: timeout set to 60 seconds
Nov  9 20:34:09 localhost chat[2069]: expect (CONNECT)
Nov  9 20:34:09 localhost chat[2069]: ^M
Nov  9 20:34:27 localhost chat[2069]: atdt<phone number>^M^M
Nov  9 20:34:27 localhost pppd[2066]: Serial connection established.
Nov  9 20:34:27 localhost chat[2069]: CONNECT -- got it
Nov  9 20:34:27 localhost chat[2069]: send ()
Nov  9 20:34:28 localhost pppd[2066]: Using interface ppp0
Nov  9 20:34:28 localhost pppd[2066]: Connect: ppp0 <--> /dev/modem
Nov  9 20:34:28 localhost pppd[2066]: sent [LCP ConfReq id=0x1 <mru
1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp> <accomp>]
Nov  9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfReq id=0x27 <mru
2048> <asyncmap 0x0> <auth chap md5 00> <magic 0x2f6e5df0> <pcomp>
<accomp>]
Nov  9 20:34:29 localhost pppd[2066]: sent [LCP ConfRej id=0x27 <auth
chap md5 00>]
Nov  9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfAck id=0x1 <mru
1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp> <accomp>]
Nov  9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfReq id=0x28 <mru
2048> <asyncmap 0x0> <auth chap md5 00> <magic 0x2f6e5df0> <pcomp>
<accomp>]
Nov  9 20:34:29 localhost pppd[2066]: sent [LCP ConfRej id=0x28 <auth
chap md5 00>]
Nov  9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfReq id=0x29 <mru
2048> <asyncmap 0x0> <auth chap md5 00> <magic 0x2f6e5df0> <pcomp>
<accomp>]
Nov  9 20:34:29 localhost pppd[2066]: sent [LCP ConfRej id=0x29 <auth
chap md5 00>]
Nov  9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfReq id=0x2a <mru
2048> <asyncmap 0x0> <auth chap md5 00> <magic 0x2f6e5df0> <pcomp>
<accomp>]

THIS REPEATS 6 MORE TIMES

Nov  9 20:34:30 localhost pppd[2066]: sent [LCP ConfRej id=0x31 <auth
chap md5 00>]
Nov  9 20:34:31 localhost pppd[2066]: sent [LCP ConfReq id=0x1 <mru
1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp> <accomp>]
Nov  9 20:34:31 localhost pppd[2066]: rcvd [LCP ConfAck id=0x1 <mru
1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp> <accomp>]
Nov  9 20:34:33 localhost pppd[2066]: Hangup (SIGHUP)
Nov  9 20:34:33 localhost pppd[2066]: Modem hangup
Nov  9 20:34:33 localhost pppd[2066]: Connection terminated.
Nov  9 20:34:34 localhost pppd[2066]: Exit.


2. PPPlog from Win95 Dialup Networking

11-12-1997 12:25:40.08 - Remote access driver log opened.  
11-12-1997 12:25:40.08 - Installable CP VxD SPAP     is loaded
11-12-1997 12:25:40.08 - Server type is  PPP (Point to Point
Protocol).  
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol 80fd (CCP) to
control protocol chain.
11-12-1997 12:25:40.08 - FSA : Protocol not bound - skipping control
protocol 803f (NBFCP).
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol 8021 (IPCP) to
control protocol chain.
11-12-1997 12:25:40.08 - FSA : Protocol not bound - skipping control
protocol 802b (IPXCP).
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol c029
(CallbackCP) to control protocol chain.
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol c027 (no
description) to control protocol chain.
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol c023 (PAP) to
control protocol chain.
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol c223 (CHAP) to
control protocol chain.
11-12-1997 12:25:40.08 - FSA : Adding Control Protocol c021 (LCP) to
control protocol chain.
11-12-1997 12:25:40.08 - LCP : Callback negotiation enabled.
11-12-1997 12:25:40.08 - LCP : Layer started.
11-12-1997 12:25:41.11 - LCP : Received and accepted MRU of 2048.
11-12-1997 12:25:41.11 - LCP : Received and accepted ACCM of 0.  
11-12-1997 12:25:41.11 - LCP : NAK authentication protocol 23c2 with
protocol c223 (CHAP).
11-12-1997 12:25:41.11 - LCP : Naking possibly loopback magic number.

11-12-1997 12:25:41.11 - LCP : Received configure reject for callback
control protocol option.
11-12-1997 12:25:41.23 - LCP : Received and accepted MRU of 2048.
11-12-1997 12:25:41.23 - LCP : Received and accepted ACCM of 0.
11-12-1997 12:25:41.23 - LCP : NAK authentication protocol 23c2 with
protocol c223 (CHAP).
11-12-1997 12:25:41.23 - LCP : Naking possibly loopback magic number.
11-12-1997 12:25:41.34 - LCP : Received and accepted MRU of 2048.
11-12-1997 12:25:41.34 - LCP : Received and accepted ACCM of 0.  
11-12-1997 12:25:41.34 - LCP : NAK authentication protocol 23c2 with
protocol c223 (CHAP).
11-12-1997 12:25:41.34 - LCP : Naking possibly loopback magic number.

THIS REPEATS 6 MORE TIMES

11-12-1997 12:25:48.77 - Remote access driver is shutting down.
11-12-1997 12:25:48.77 - CRC Errors             0
11-12-1997 12:25:48.77 - Timeout Errors         0
11-12-1997 12:25:48.77 - Alignment Errors       0
11-12-1997 12:25:48.77 - Overrun Errors         0
11-12-1997 12:25:48.77 - Framing Errors         0
11-12-1997 12:25:48.77 - Buffer Overrun Errors  0
11-12-1997 12:25:48.77 - Incomplete Packets     0
11-12-1997 12:25:48.77 - Bytes Received         498
11-12-1997 12:25:48.77 - Bytes Transmittted     449
11-12-1997 12:25:48.77 - Frames Received        13
11-12-1997 12:25:48.77 - Frames Transmitted     13
11-12-1997 12:25:48.77 - Remote access driver log closed.
0
Comment
Question by:jnowak
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:sauron
Comment Utility
Microsoft use a hacked authentication protocol they refer to as MS-CHAP. It is not CHAP, nor is it compatible with CHAP.

Change the security on your WIndows bot to allow any authentication, even clear text. If this works, step security up gradually until it gets as good as you can make it while things still work.

You could try complaining to MS about their shitty implementation of standard protocaols too, of course, but I doubt you'll get far......

0
 

Author Comment

by:jnowak
Comment Utility
I am sorry sauron but your answer is not explaining the problem.
The question was: Why is my Linux box (not Win box) rejecting CHAP authentication protocol? I have included windows log file to demonstrate how differently they call supposedly the same authentication protocol. Take a close look at both log files.

PS.I am not going to try to start complaining to Microsoft. Would you?
0
 
LVL 1

Accepted Solution

by:
Belar earned 200 total points
Comment Utility
Here you receive a Confirmation Request(ConfReq) from the provider..

  Nov 9 20:34:29 localhost pppd[2066]: rcvd [LCP ConfReq
                 id=0x29 <mru
                 2048> <asyncmap 0x0> <auth chap md5 00> <magic
                 0x2f6e5df0> <pcomp>
                 <accomp>]

which is rejected (ConfRej) here by your linux box. (ay least the chap part, the MRU and asyncmap have been Acknowledged before)

    Nov 9 20:34:29 localhost pppd[2066]: sent [LCP ConfRej
                 id=0x29 <auth
                 chap md5 00>]

Here we send our magic and setup

   Nov 9 20:34:31 localhost pppd[2066]: sent [LCP ConfReq
                 id=0x1 <mru
                 1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp>
                 <accomp>]

which is properly accepted (ConfAck) by the provider

   Nov 9 20:34:31 localhost pppd[2066]: rcvd [LCP ConfAck
                 id=0x1 <mru
                 1500> <asyncmap 0x0> <magic 0xca2910b1> <pcomp>
                 <accomp>]

Since CHAP required that both host and client authenticate and it doesn't the connection is refused. This is WHY linux is rejecting CHAP authentification.
If i were you, i'll check to see if the user and magic is ok for the provider part. I'll also check with the provider if they use MS-CHAP or plain CHAP.
0
 
LVL 1

Expert Comment

by:Belar
Comment Utility
Also, both sides don't seem to agree on what authentification protocol to use.
 
0
 

Author Comment

by:jnowak
Comment Utility
Belar, Thanks for the answer, I am going to accept it although it does not help me at all. As you can see both of them are trying to use CHAP MD5 (linux log) but for some reason it is rejected by my box. If you look closely at the windows log they call CHAP protocol differently: my box calls it c223 and the other 23c2. Please take a look at it again and help me if you can.
Jacek
PS. my e-mail is jnowak@webster.sk.ca
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now