Matthew Braithwaite writes: > > So that's screwey if you're doing MPPE encryption because which > > authentication do you use to generate the MPPE keys?? Apparently > > we are using the wrong one. In any case, we can't use the first > > one because we'd need the yes/no response to generate MPPE keys > > from CHAP MSOFTv2 authentication. > > Let me see if I understand: a key used in CHAP authentication is also > used for MPPE. However, I authenticate twice, once using CHAP MSOFTv2 > and once using CHAP MSOFTv2 -- and you think mpd is choosing the MPPE > key from the wrong one of these two authentications?
Once using MSOFTv2 and then a second time using MSOFTv1. According to RFC 3079, you should generate the keys from the first authentication. However, this is impossible because your server is never completing that authentication. > Is there a way to fix this in mpd? According to the manual you *have* > to use CHAP MSOFTv2 to use MPPE, so I'd think it'd be okay to > categorically ignore -- for MPPE purposes -- any key obtained through > a CHAP MSOFTv1 authentication. The manual is wrong; you can generate keys from MSOFTv1 or MSOFTv2. See RFC 3079. > Can I force mpd to speak *only* CHAP MSOFTv2? I don't find any such > option in the manual, unfortunately. No, that needs to be added... -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
