> -----Original Message-----
> From: lwip-users
> On Behalf Of Sylvain Rochet
> Sent: Thursday, 11 August 2016 19:05
> On Thu, Aug 11, 2016 at 12:48:19AM +0000, Greg Smith wrote:
> >
> > I have a follow-on question. Below I said I was able to connect with
> > MSCHAPv2 or no authentication. I think I was actually not
> > authenticating in either case. So... Is there a way to have PPP try
> > authentication first before giving up and trying no authentication?
> > (This may be a violation of LCP, I'm not sure. It just seems like it
> > should/could be a negotiable option.)
>
> I'm not sure that's possible, even if the protocol might allow it in some way
> (which I doubt) it is not supported in the wild, at least pppd nor lwIP are
> able to try auth with different auth protocol, one auth protocol is chosen once
> for all and it will either succeed or fail. That would be a downgrade attack
> vector anyway and this is why PPPAUTHTYPE_ANY shouldn't be used.
It was a long shot. Reading through various pppd documentation, there doesn't seem to be a way to force anything. Instead, you can just disallow certain options with the peer. (i.e. I can't force MSCHAPv2 on one side, but I can disallow CHAP, MSCHAP, and PAP, for example, which _almost_ implicitly forces MSCHAPv2. (Unfortunately, there's no way that I've found to disallow no auth, so nothing is still acceptable if the other peer allows it.)
> > If I set ppp_set_auth_required(, 0);, then I think it always connects
> > with no auth, regardless of what I've set in ppp_set_auth().
>
> ppp_set_auth_required(, 0) only set that -peer- is not required to
> authenticate. It have no influence whatsoever whether the peer is going to ask
> -us- to authenticate.
>
>
> > If I set ppp_set_auth_required(, 1);, then it refuses the peers that
> > don't support auth at all.
>
> Of course, because we then require the peer to authenticate. This option is
> mostly used on PPP server listener, where we want the incoming PPP session to
> authenticate, asking the server to authenticate is less common.
Understood, and is what I've found in practice. I wanted to verify that I wasn't missing something.
> Anyway, what you could do is to write this state machine outside, which would
> gives something like that:
>
>
> begin;
>
> try with MSCHAPv2 + MPPE;
>
> if != PPPERR_NONE is returned:
> try without AUTH;
>
> loop;
>
>
> This would also make the PPP_MPPE_ALLOW_CLEARTEXT idea useless.
Yes, don't spend time on the PPP_MPPE_ALLOW_CLEARTEXT option. That sounds like a lot of work and peculiarity to lwIP that I'd like to avoid.
But I will try something like the loop and see if I can make it work. It sounds like a pretty simple idea, which I like! When I can get some testing on new and old, and if it works, I'll post back to let the community know.
Thanks again for your ideas; this is a great help.
-- G
This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com