Re: (ASCEND) Ethernet -> Answer -> PPP Options -> Recv Auth=PAP

To: Cyril Jaouich <twiggy@twiggy.spider.org>, "@x400hub.net.treas.gov":@mailhub-1.net.treas.gov:owner-ascend-users@max.bungi.com
Subject: Re: (ASCEND) Ethernet -> Answer -> PPP Options -> Recv Auth=PAP
From: Mitchell Arnone <mitchell.arnone@occ.treas.gov>
Date: Thu, 3 Jun 99 13:59:08 EDT
Cc: Shaun Ledford <shaun@ms.com>, ascend-users@bungi.com
MMDF-Warning: Parse error in original version of preceding line at mailhost.occ.treas.gov
MMDF-Warning: Parse error in original version of preceding line at mailhost.occ.treas.gov
MMDF-Warning: Parse error in original version of preceding line at mailhost.occ.treas.gov
Reply-To: mitchell.arnone@occ.treas.gov
Sender: owner-ascend-users@max.bungi.com

There are a number of schools of thought on the amount of risk with using 
PAP vs CHAP.  However, Windows clients to suppot PAP but you don't turn it 
on at the client.  If you configure the TNT answer defaults>>PPP-answer to 
PAP-PPP-Auth, the the Windows client will talk PAP.

What happens is that the client will attempt to negotiate a session using 
CHAP and, if that fails, it will try PAP.  To verify this, just configure 
the client to write MSDUN access to a log file and then follow the sequence 
of events.

Mitch
-------------
Original Text
From: "Phillip Vandry" <vandry@mlink.net>, on 6/3/99 9:37 AM:
To: SMTP@DC2@OCC["Cyril Jaouich" <twiggy@twiggy.spider.org>]
Cc: SMTP@DC2@OCC["Shaun Ledford" <shaun@ms.com>], 
SMTP@DC2@OCC[<ascend-users@bungi.com>]

> > The only solution is to disable CHAP.
> 
> 	Well the problem is an M$ problem, non-windows dial-in will be
> okay with Either because they can be set to PAP first, but Microsoft has
> MS-CHAP (a CHAP version) that will be used before the configured
> authentication protocol. AFAIK there is no way to disable MS-CHAP auth in
> windows products, we ran into the same problem with having Cisco ISDN
> CHAP customers and our regular user base (mostly windows).

As much as I hate to agree with Microsoft on any point, I think this
is reasonable. Barring explicit configuration, a client should indeed
select a crypted algorithm (better from its point of view) over a
non crypted one if it's given the choice!

It's the PPP protocol that would have needed a different design, i.e.
some LCP parameters getting negociated after the username is known,
not before.

-Phil
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) Re: 7.2.0
Next by Date: Re: (ASCEND) MAX Testing
Prev by thread: Re: (ASCEND) MAX4048s wanted
Next by thread: (ASCEND) ISDN:MAX 2ch connects work for built-in profile, but NOT with RADIUS
Index(es):
- Date
- Thread