Not odd at all actually.
> Look at the LCP_CONFIGURE_REQUEST with ID 32. The Gandalf is clearly
>asking for PAP authentication. Next, the PM3 sends a LCP_CONFIGURE_NAK to
>using CHAP. Huh? Where did that come from? Is that right?
Yes. Remember in a NAK you don't send what you are rejecting, but what you
want to do instead. What is happening here is that the Gandalf whats to
auth the PM-3! PMs do not support PAP back to a dialin client - period. So
it is rejecting that and suggesting CHAP, which ic *can* do. But that is
a special configuration, which you haven't done, so it is failing at the
auth stage - when it can't find the CHAP user.
The thing is, this is really stupid. The Gandalf is calling the PM-3, it
doesn't have a good reason to ask the PM to authenticate itself. Get the
Gandalf to stop doing this and the problem is solved. Of check the manuals
for the configuration for CHAP back to a dial in client.
I think you missed that PPP is bidirectional. They are negotiating PAP
to auth the Gandalf to the PM-3, and that is working. But the Gandalf is
insisting on the PM-3 authing as well - and only CHAP is supported for that.
BTW, the reason it doesn't support PAP is that means the PM-3 would transmit
a cleartext password to the dial in client. And ANY dialin client, including
an attacker, could make it do so with a PPP attempt. BAD.
-MZ
-- <URL:mailto:megazone@megazone.org> Gweep, Discordian, Author, Engineer, me.. Join ISP/C Internet Service Providers' Consortium <URL:http://www.ispc.org/> "A little nonsense now and then, is relished by the wisest men" 781-788-0130 <URL:http://www.megazone.org/> <URL:http://www.gweep.net/> Hail Discordia! - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>