Solved

Disable CHAP for RRAS

Posted on 1998-08-19
4
363 Views
Last Modified: 2013-12-28
I'm currently testing the RRAS in combination with Shiva Access Manager and ACE client from Security Dynamics. The problem that I currently have is that the client and server are always using CHAP for authentication. The ACE client will not work with CHAP but will work with PAP because the ACE server request a unique password.

Does anyone know how to force client and server to use PAP instead of CHAP?

Greetings,
Guido
0
Comment
Question by:deenej1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 8

Accepted Solution

by:
wayneb earned 100 total points
ID: 1790068
Have a shot at this document I think that it explains how to do it

How to Force Routing and Remote Access to Use PAP
Last reviewed: July 28, 1998
Article ID: Q172216
 
 


--------------------------------------------------------------------------------

The information in this article applies to:
Microsoft Windows NT Server version 4.0
Microsoft Routing and Remote Access Service Update for Windows NT Server 4.0


SUMMARY
This article discusses the method for forcing a Routing and Remote Access (RRAS) server for Windows NT 4.0 to authenticate RAS clients using PAP instead of CHAP, SPAP, or MS-CHAP. This may be necessary, depending on your RAS clients or some third-party authentication solutions.



MORE INFORMATION
If your RRAS server is configured to "Allow any authentication including clear text," a RAS client is able to connect with PAP, SPAP, CHAP, or MS- CHAP depending, on what the client supports. Normally, a Microsoft RAS client will attempt to connect with CHAP or MS-CHAP, if that is valid for the RAS server to which it is connecting.

To force a RAS client to use PAP, you must delete the SPAP and CHAP registry keys from your RAS Server using the following steps:

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.


Start Registry Editor (Regedt32.exe).

Go to the following subkey:


      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP

Click SPAP, click Edit, and click Delete.

Click Yes to confirm the deletion.

Click CHAP, click Edit, and click Delete.

Click Yes to confirm the deletion.

Close Registry Editor and stop and restart the Routing and Remote Access Service.

NOTE: This will not work on normal Windows NT RAS servers, only Windows NT 4.0 RAS servers that have Routing and Remote Access installed. If you delete these registry keys on a normal RAS server, the RAS services will fail to start after you restart.
The following two scenarios require the above steps to force RAS clients to use PAP authentication:

You are using a PPP client that can only use PAP, but does not notify the RAS server that it needs to use PAP during the LCP negotiation.
-or-

You are using the new Radius client included in the Routing and Remote Access Service Update. Many Radius servers do not accept the attribute 60 CHAP Challenge that the Radius Client sends to the Radius server when authenticating a RAS client using CHAP. This is a valid attribute according to RFC 2058: "Remote Authentication Dial In User Service (RADIUS)"; however, many older Radius servers cannot handle this newer attribute.
 
Good Luck, becareful using regedit
0
 

Author Comment

by:deenej1
ID: 1790069
This seems to work but now my client still comes with an additional login after my SecurID authentication. It just asks for an user-id and password.
I've tried to type in my username and SecurID code but this doesn't work.
Do you have any clue about this?

0
 
LVL 8

Expert Comment

by:wayneb
ID: 1790070
Have you updated to the newest rras, there is a hot fix available

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp3/rras20-fix/

This is the second hotfix for this product, the above line is wrapped but should be one line.  I would try the hot fix as I am sure it fixes many problems it is a little over a meg download but may be worth a shot.  It was released 5-22-98 so it is fairly new.
0
 
LVL 8

Expert Comment

by:wayneb
ID: 1790071
Here is the link to Rras update site
http://www.microsoft.com/communications/routing&ras.htm
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question