Jon Martin(jmg...@gmail.com) on 2018.03.22 13:19:51 -0600: > On Tue, Mar 20, 2018 at 10:27:16AM +0000, Stuart Henderson wrote: > > > > It's not clear from your mail, have you tried just using CHAP? > > That's what I get for writing e-mails in the middle of the night. > > I did try CHAP: > > 22:34:31.753153 00:90:1a:a0:91:66 :MY_ROUTER: 8864 60: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 21 > LCP: Configure-Request, Max-Rx-Unit=1460, Auth-Prot CHAP/MD5, > Magic-Number=217270350, Vendor-Ext > 22:34:31.763198 :MY_ROUTER: 00:90:1a:a0:91:66 8864 41: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 21 > LCP: Configure-Ack, Max-Rx-Unit=1460, Auth-Prot CHAP/MD5, > Magic-Number=217270350[|lcp] > 22:34:31.763211 00:90:1a:a0:91:66 :MY_ROUTER: 8864 60: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 16 > LCP: Configure-Ack, Magic-Number=1195066301, Max-Rx-Unit=1492, Vendor-Ext > 22:34:31.774662 00:90:1a:a0:91:66 :MY_ROUTER: 8864 61: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 41 > CHAP: Challenge, Value=dd3d7a974dad042911fa8a11302ddd441774ec674e04, > Name=EDTNABXTAR03[|chap] > 22:34:31.784711 :MY_ROUTER: 00:90:1a:a0:91:66 8864 65: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 45 > CHAP: Response, Value=82b356cfa2aa9002b8998d4215abdd13, > Name=myteka...@teksavvy.com[|chap] > 22:34:44.392624 00:90:1a:a0:91:66 :MY_ROUTER: 8864 60: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 20 > LCP: Configure-Request, Max-Rx-Unit=1452, Auth-Prot PAP, > Magic-Number=235537185, Vendor-Ext > 22:34:44.402667 :MY_ROUTER: 00:90:1a:a0:91:66 8864 30: PPPoE-Session > code Session, version 1, type 1, id 0x0bd5, length 10 > LCP: Configure-Nak, Auth-Prot CHAP/[|lcp] > > I get a challenge, I respond, then the remote asks for PAP, which I Nak > because I'm configured to use CHAP. Unlike with PAP where it terminates, > my router and the remote system will then continue this argument until I > bring down the interface. > > To me this further indicates a "double authentication": a CHAP challenge > followed by PAP authentication. I have no idea how to set up a config > to answer that though.
Yes, this is possible, and OpenBSD does not support this mode. For example, this kind of authentication is used when your DSL is run by one company who then gets your real ISP from your username and passes the authentication session on to the radius server of your ISP. If the two ISPs use different authentication protocols, you will see this behaviour. /Benno
