Re: (PM) Odd PPP negotiation behavior (fwd)

Chris Trown (ctrown@cheops.net.csuchico.edu)
Sat, 17 Apr 1999 11:09:39 -0700

On Sat, Apr 17, 1999 at 04:11:11AM -0700, MegaZone scribbled:
> Once upon a time Chris Trown shaped the electrons to say...
> >odd. At least to me. First, here's the output of the Gandalf connecting to
> >the PM3:
>
> Not odd at all actually.
>
> > Look at the LCP_CONFIGURE_REQUEST with ID 32. The Gandalf is clearly
> >asking for PAP authentication. Next, the PM3 sends a LCP_CONFIGURE_NAK to
> >using CHAP. Huh? Where did that come from? Is that right?
>
> Yes. Remember in a NAK you don't send what you are rejecting, but what you
> want to do instead. What is happening here is that the Gandalf whats to
> auth the PM-3! PMs do not support PAP back to a dialin client - period. So
> it is rejecting that and suggesting CHAP, which ic *can* do. But that is
> a special configuration, which you haven't done, so it is failing at the
> auth stage - when it can't find the CHAP user.
>

Ah! I see now. I thought that a NAK was for what it didn't like.

> The thing is, this is really stupid. The Gandalf is calling the PM-3, it
> doesn't have a good reason to ask the PM to authenticate itself. Get the
> Gandalf to stop doing this and the problem is solved. Of check the manuals
> for the configuration for CHAP back to a dial in client.
>
> I think you missed that PPP is bidirectional. They are negotiating PAP
> to auth the Gandalf to the PM-3, and that is working. But the Gandalf is
> insisting on the PM-3 authing as well - and only CHAP is supported for that.
>

I'll have to scratch my head a little more with that one.

> BTW, the reason it doesn't support PAP is that means the PM-3 would transmit
> a cleartext password to the dial in client. And ANY dialin client, including
> an attacker, could make it do so with a PPP attempt. BAD.
>

It makes sense now.

I have this thing accepting calls from the PM3, it's when the Gandalf
calls the PM3 that's the problem. This is probably the source of the problem.

Hmmm... A somewhat related question; When a location is configured for
dial on demand, does the PM3(configured to use OSPF) broadcast a route for that
location? I'm thinking it must, or how would the router know where to send
traffic for the location?

Now, suppose I have 2 PM3s(ComOS 3.8.2) and 4 PRIs. I have only one
telephone # for all four PRIs. My original thinking was that I would configure
the dialout on the second PM3 because there's a strong chance that there would
not be any ports available on the first PM3.

If the second PM3 broadcasts a route, what would happen if the Gandalf
connects on the first PM3? I'm thinking that it's something bad.

Given this scenario, do all the dialout locations need to be on the first
PM3?

Thanks for all the help! These Gandalfs are good as bridges, but their
routing capabilities leave much to be desired.

Chris...

-- 
What's the point?


An NT server can be run by an idiot, and usually is.
PGP fingerprint: 063FCE320681C336  78C164FC9B2F91EA
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>