It is currently Wed Jul 18, 2018 3:07 pm

All times are UTC [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Fri Oct 23, 2009 1:46 pm 

Joined: Thu Oct 22, 2009 12:18 pm
Posts: 12
having problems with EAP authorisation, with some (not all) ADSL modems
The modem sets up a pppoA connect to a Cisco LAC, which then successfully initiates a tunnel and session to an LNS running openL2TP. However the ppp connection fails because EAP authorisation is used instead of pap or chap !

Oct 6 12:00:41 lns02 openl2tpd[12408]: FSM: LNIC(38447/9772) event ICCN_ACCEPT in state WAITCONNECT
Oct 6 12:00:41 lns02 openl2tpd[12408]: 38447/9772: starting UNIX pppd
Oct 6 12:00:41 lns02 openl2tpd[12408]: FSM: LNIC(38447/9772) state change: WAITCONNECT --> ESTABLISHED
Oct 6 12:00:41 lns02 pppd[12436]: Plugin radius.so loaded.
Oct 6 12:00:41 lns02 pppd[12436]: RADIUS plugin initialized.
Oct 6 12:00:41 lns02 pppd[12436]: Plugin radattr.so loaded.
Oct 6 12:00:41 lns02 pppd[12436]: RADATTR plugin initialized.
Oct 6 12:00:41 lns02 pppd[12436]: Plugin pppol2tp.so loaded.
Oct 6 12:00:41 lns02 pppd[12436]: Plugin openl2tp.so loaded.
Oct 6 12:00:42 lns02 pppd[12436]: pppd 2.4.4 started by root, uid 0
Oct 6 12:00:42 lns02 pppd[12436]: Using interface ppp1
Oct 6 12:00:42 lns02 pppd[12436]: Connect: ppp1 <-->
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set debug=f
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set mru=1500
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set lns_mode=1
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set debug=f
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set mru=1500
Oct 6 12:00:42 lns02 pppd[12436]: EAP: unauthenticated peer name "user@realm.com"
Oct 6 12:00:42 lns02 pppd[12436]: LCP terminated by peer
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set lns_mode=1
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set debug=f
Oct 6 12:00:42 lns02 kernel: PPPOL2TP: sess 38447/9772: set mru=1500
Oct 6 12:00:45 lns02 pppd[12436]: Connection terminated.
Oct 6 12:00:45 lns02 pppd[12436]: Modem hangup
Oct 6 12:00:45 lns02 pppd[12436]: Exit.
Oct 6 12:00:45 lns02 openl2tpd[12408]: FSM: LNIC(38447/9772) event CLOSE_REQ in state ESTABLISHED
Oct 6 12:00:45 lns02 openl2tpd[12408]: PROTO: tunl 38447/9772: sending CDN to peer 17158/31309
Oct 6 12:00:45 lns02 openl2tpd[12408]: 38447/9772: stopping unix pppd pid 12436
Oct 6 12:00:45 lns02 openl2tpd[12408]: 38447/9772: cleaning UNIX pppd context
Oct 6 12:00:45 lns02 openl2tpd[12408]: FSM: LNIC(38447/9772) state change: ESTABLISHED --> IDLE

My /etc/openl2tpd.conf states that I don't want EAP

ppp profile create profile_name=enta21CN \
default_route=no \
auth_none=no \
auth_eap=no \
auth_pap=no \
auth_chap=yes \
auth_mschapv1=yes \
auth_mschapv2=yes \
trace_flags=4095\
local_ipaddr=a.b.c.254 \
use_radius=yes \
radius_hint=/usr/local/etc/radiusclient/radiusclient.conf

it makes no difference if "auth_eap=yes", the connection fails in the same way.
how can I force the ppp connection to ignore EAP and proceed with chap ?


Top
 Profile  
 
 Post subject: Re: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Fri Oct 30, 2009 10:52 am 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
neilf wrote:
having problems with EAP authorisation, with some (not all) ADSL modems
The modem sets up a pppoA connect to a Cisco LAC, which then successfully initiates a tunnel and session to an LNS running openL2TP. However the ppp connection fails because EAP authorisation is used instead of pap or chap !

it makes no difference if "auth_eap=yes", the connection fails in the same way.
how can I force the ppp connection to ignore EAP and proceed with chap ?


Sorry for the late reply.

What arguments are being used for pppd? A "ps ax" listing will show the command line of the pppd processes, or enable ppp debug in the ppp profile to have that info logged.


Top
 Profile  
 
 Post subject: Re: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Fri Oct 30, 2009 5:35 pm 

Joined: Thu Oct 22, 2009 12:18 pm
Posts: 12
I have fixed this problem myself
The openl2tp LNS was allways requesting EAP, even with "auth_eap=no" in the profile.
I check that refuse-eap was in the arguments passed to pppd, but this made no difference !
however by adding "require-chap" into /etc/ppp/options, this fixed the problem


Top
 Profile  
 
 Post subject: Re: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Sat Nov 07, 2009 4:55 pm 

Joined: Sat Nov 07, 2009 4:02 pm
Posts: 1
neilf wrote:
I have fixed this problem myself
The openl2tp LNS was allways requesting EAP, even with "auth_eap=no" in the profile.
I check that refuse-eap was in the arguments passed to pppd, but this made no difference !
however by adding "require-chap" into /etc/ppp/options, this fixed the problem

I have been experiencing the same issue for some weeks now and was preparing to move from Fedora to Debian to fix the problem but can also confirm I resolved the issue with the same fix :)

Now to solve some other problem's!


Top
 Profile  
 
 Post subject: Re: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Sun Dec 25, 2011 8:15 am 

Joined: Sat Dec 24, 2011 8:32 pm
Posts: 2
Location: San Jose, CA
Hi, I'm new to OpenL2TP and PPPD and am trying to use it for testing. I ran into this problem and worked-around with 'require-chap' in /etc/ppp/options.

Does anyone know the rational for using 'require-chap' in /etc/ppp/options? Suppose I wanted to use CHAP *or* PAP on the LNS, depending on the previous LCP negotiation at the LAC... would it work with 'require-chap'? I don't see why EAP would even be attempted if we pass 'refuse-eap'. Is perhaps refuse-* for the peer authenticating us (pppd), while require-* is for us (pppd) authenticating the peer? Overall, this doesn't seem like the proper technique because /etc/ppp/options is for everyone, not just a particular pppd instance/connection.

Why doesn't L2TP pass the auth method from "Last Sent LCP CONFREQ AVP" in the ICCN to PPPD? Instead, it is re-negotiating LCP, which is where it sends the PPP CONFREQ with EAP through the LAC to the PPP client. Should L2TP be passing 'require-chap' to PPPD if that was the auth method in "Last Sent LCP CONFREQ AVP? I would attach a capture, but I can't seem to upload a .pcap. The PPP client (Agilent N2X) NAKs the EAP Auth and suggests CHAP. You don't see this on the OpenL2TP LNS logs because a bug in the LAC client->lns forwarding messes-up the UDP ports. Perhaps if the LNS PPP saw the NAK, it would retry the CONREQ with CHAP. Regardless, this seems unnecessary since L2TP can pass all this to PPPD from the ICCN control message and finish authenticating CHAP without renegotiation.

I don't see any other parameters in the l2tpconfig documentation to change the PPP profile for auth type. PAP and CHAP are already enabled by default. I feel like something is missing something in the L2TP <-> PPPD integration. I'm running OpenL2TP v1.8. Any pointers? Any other info needed?

All help appreciated!!! :)

Thanks,
-Andy

auth_pap - Allow PPP PAP authentication. Default: YES
auth_chap - Allow PPP CHAP authentication. Default: YES

ppp profile modify profile_name=default \
auth_eap=no auth_mschapv1=no auth_mschapv2=no

Quote:
What arguments are being used for pppd? A "ps ax" listing will show the command line of the pppd processes, or enable ppp debug in the ppp profile to have that info logged.


pixr-lnx-04 openl2tp-1.8$ ps -aef | grep pppd
root 28077 11856 0 10:58 pts/4 00:00:00 pppd debug kdebug 7 noipdefault sync refuse-eap refuse-mschap-v2 refuse-mschap nodetach local auth noaccomp nopcomp nobsdcomp nodeflate nopredictor1 novj novjccomp noendpoint nomp plugin pppol2tp.so plugin openl2tp.so pppol2tp 17 pppol2tp_lns_mode pppol2tp_tunnel_id 52982 pppol2tp_session_id 19359 pppol2tp_debug_mask 15
akarch 28087 10109 0 10:58 pts/2 00:00:00 grep pppd
pixr-lnx-04 openl2tp-1.8$

PROTO: tunl 12516/64443: ICCN received from peer 43879
FSM: LNIC(12516/64443) event ICCN_ACCEPT in state WAITCONNECT
12516/64443: starting UNIX pppd
sess 12516/64443: spawned pppd pid=28542
FSM: LNIC(12516/64443) state change: WAITCONNECT --> ESTABLISHED
sess 12516/64443: pppd debug kdebug 7 noipdefault sync refuse-eap refuse-mschap-v2 refuse-mschap nodetach local auth noaccomp nopcomp nobsdcomp nodeflate nopredictor1 novj novjccomp noendpoint nomp plugin pppol2tp.so plugin openl2tp.so pppol2tp 17 pppol2tp_lns_mode pppol2tp_tunnel_id 12516 pppol2tp_session_id 64443 pppol2tp_debug_mask 15
Plugin pppol2tp.so loaded.
Plugin openl2tp.so loaded.
Enabling LCP snooping
using channel 8
Using interface ppp0
Connect: ppp0 <-->
PPPoL2TP options: lnsmode tid 12516 sid 64443 debugmask 15
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
XPRT: tunl 12516: send zlb ack, ns/nr=2/4
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0xcced558e>]
XPRT: RX: tunl 12516/64443: len=86 ns/nr=4/2, our ns/nr=2/4, peer ns/nr=3/2
XPRT: tunl 12516: peer ns/nr is 4/2
DATA: RX: tunl 12516/64443: rcv 86 bytes from peer 111.2.19.1, packet ns/nr 4/2 type 0
XPRT: tunl 12516: update nr from 4 to 5
AVP: tunl 12516: CDN message decode of 66 bytes started
AVPDATA: RESULT_CODE: result=2 error=6 msg=No disconnect reason given
AVPDATA: SESSION_ID: id=48555
PROTO: tunl 12516: Optional AVPs ignored for message CDN: parse_flags=400000000000
PROTO: tunl 12516/64443: CDN received from peer 43879
PROTO: session 12516/64443, CDN error 2/6: A generic vendor-specific error occurred - No disconnect reason given
FSM: LNIC(12516/64443) event CDN in state ESTABLISHED
12516/64443: stopping unix pppd pid 28542
12516/64443: cleaning UNIX pppd context
FSM: LNIC(12516/64443) state change: ESTABLISHED --> IDLE


Top
 Profile  
 
 Post subject: Re: EAP authorisation failure with pppd invoked from openl2tpd
PostPosted: Sat Dec 31, 2011 1:45 am 

Joined: Sat Dec 24, 2011 8:32 pm
Posts: 2
Location: San Jose, CA
Hi,

I read through the posts and the release notes and found the changes in v1.5. I added a specific profile for my peer with the recommened config from the v1.5 release notes, and now 'require-chap' is passed to PPPD.

Now PPPD on the LNS sends the CONFREQ with CHAP through the LAC to the client. The client replies happily with a CONFACK back to the LNS. The whole thing would probably work if my LAC forwarded with the correct UDP ports.

However, this still means that the LNS PPPD is renegotiating despite the info from the "Last Sent LCP CONFREQ AVP" in the L2TP ICCN (and other AVPs). Is there a reason it renegotiates, as it's unnecessary? If I had a guess at a technical reason, it might be because the chap challenge/response info isn't passed from L2TP when pppd is exec()ed... is that right?

I later found the 'allow_ppp_proxy' tunnel profile option and that sounds like it is specifically for the proxy authentication. In l2tp config I use "tunne list" and "tunnel show tunnel_id=XXXXX" and see the correct tunnel profile and "allow PPP proxy: ON". However, the LNS still renegotiates LCP. My only guess it that it doesn't like the MRU of 1492 in the proxy information. My ethernet interface MTU is 1500 and I haven't configured anything special in L2TP. The new CONFREQ from the LNS is sent without that LCP option. Do anyone have any pointer to see how PPP might receive the proxy auth info and decide how to proceed? Any debug flags or log files?

Any clarification or pointers appreciated!!! :) Again, I can provide a packet capture if helpful.

Thanks,
-Andy



ppp profile create profile_name=LosAngeles9k \
auth_chap=yes auth_pap=no auth_eap=no auth_mschapv1=no auth_mschapv2=no
peer profile create profile_name=LosAngeles9k \
peer_ipaddr=111.2.19.1 netmask=255.255.255.255 lac_lns=LNS \
ppp_profile_name=LosAngeles9k
ppp profile modify profile_name=default \
auth_eap=no auth_mschapv1=no auth_mschapv2=no

sess 54525/59779: pppd debug kdebug 7 noipdefault sync refuse-eap refuse-mschap-v2 refuse-mschap refuse-pap require-chap nodetach local auth noaccomp nopcomp nobsdcomp nodeflate nopredictor1 novj novjccomp noendpoint nomp plugin pppol2tp.so plugin openl2tp.so pppol2tp 17 pppol2tp_lns_mode pppol2tp_tunnel_id 54525 pppol2tp_session_id 59779 pppol2tp_debug_mask 15



ppp profile create profile_name=LosAngeles9k \
auth_chap=yes auth_pap=no auth_eap=no auth_mschapv1=no auth_mschapv2=no

tunnel profile create profile_name=LosAngeles9k \
allow_ppp_proxy=yes

peer profile create profile_name=LosAngeles9k \
peer_ipaddr=111.2.19.1 netmask=255.255.255.255 lac_lns=LNS \
tunnel_profile_name=LosAngeles9k \
ppp_profile_name=LosAngeles9k

l2tp> peer profile list
LosAngeles9k
default
l2tp> peer profile show profile_name=LosAngeles9k
Peer profile LosAngeles9k:-
address: 111.2.19.1, port default
mode -/LNS
default tunnel profile: LosAngeles9k
default session profile: default
default ppp profile: LosAngeles9k
use count: 0
l2tp>

l2tp> tunnel profile list
LosAngeles9k
default
l2tp> tunnel profile show profile_name=LosAngeles9k
Tunnel profile LosAngeles9k
authorization mode NONE, hide AVPs OFF, allow PPP proxy ON
hello timeout 60, retry timeout 1, idle timeout 0
rx window size 10, tx window size 10, max retries 5
use UDP checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC
bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
peer profile: NOT SET
session profile: NOT SET
ppp profile: NOT SET
trace flags: PROTOCOL FSM API AVP AVPHIDE AVPDATA FUNC XPRT DATA PPP SYSTEM
l2tp>

l2tp> tunnel list
TunId Peer Local PeerTId ConfigId State
* 17575 111.2.19.1 111.2.19.204 8659 1 ESTABLISHED
l2tp> tunnel show tunnel_id=17575
Tunnel 17575, from 111.2.19.204 to 111.2.19.1:-
state: ESTABLISHED
created at: Dec 30 16:29:57 2011
created by admin: NO, tunnel mode: LNS
peer tunnel id: 8659, host name: NOT SET
UDP ports: local 36741, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: ON
session limit: 0, session count: 1
tunnel profile: LosAngeles9k, peer profile: LosAngeles9k
session profile: default, ppp profile: LosAngeles9k
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: PROTOCOL FSM API AVP AVPHIDE AVPDATA FUNC XPRT DATA PPP SYSTEM
peer vendor name: Cisco Systems, Inc.
peer protocol version: 1.0, firmware 4400
peer framing capability: NONE
peer bearer capability: NONE
peer rx window size: 512
Transport status:-
ns/nr: 2/4, peer 2/3
cwnd: 3, ssthresh: 10, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 1/0/0
retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 4, rx bytes: 408
control tx packets: 3, tx bytes: 189
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 4, tx bytes: 124, tx errors: 0
l2tp>

pixr-lnx-04 openl2tpd$ sudo /usr/sbin/openl2tpd -f -D -d 0x7FF -R -c openl2tpd.conf
[sudo] password for akarch:
Start, trace_flags=000007ff (debug enabled)
OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Using config file: openl2tpd.conf
AVPDATA: type=0 len=8 of 93
AVPDATA: type=2 len=8 of 93
AVPDATA: type=3 len=10 of 93
AVPDATA: type=6 len=8 of 93
AVPDATA: type=7 len=18 of 93
AVPDATA: host_name=LosAngeles9k
PROTO: Creating new tunnel context with profile 'LosAngeles9k' for LosAngeles9k (6f021301/1701)
FUNC: tunl 17575: inherited ppp profile 'LosAngeles9k' from peer profile
FUNC: tunl 17575: allocated context using profile 'LosAngeles9k', created by network request
XPRT: RX: tunl 17575/0: len=105 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 17575: peer ns/nr is 0/0
DATA: RX: tunl 17575/0: rcv 105 bytes from peer 111.2.19.1, packet ns/nr 0/0 type 0
XPRT: tunl 17575: update nr from 0 to 1
AVP: tunl 17575: SCCRQ message decode of 85 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=4400
AVPDATA: HOST_NAME: name=LosAngeles9k
AVPDATA: VENDOR_NAME: name=Cisco Systems, Inc.
AVPDATA: TUNNEL_ID: id=8659
AVPDATA: RX_WINDOW_SIZE: size=512
PROTO: tunl 17575: SCCRQ received from peer 8659
FSM: CCE(17575) event SCCRQ_ACCEPT in state IDLE
AVP: tunl 17575: building SCCRP message, 9 AVPs
PROTO: tunl 17575: sending SCCRP to peer 8659
XPRT: tunl 17575: queuing tx packet, type 2, len 149, ns/nr 0/1
XPRT: tunl 17575: update ns to 1
XPRT: tunl 17575: adding packet to ackq, type 2, len 149, ns/nr 0/1
DATA: TX: tunl 17575/0: send 149 bytes to peer 111.2.19.1, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(17575) state change: IDLE --> WAITCTLCONN
XPRT: RX: tunl 17575/0: len=20 ns/nr=1/1, our ns/nr=1/1, peer ns/nr=0/0
XPRT: tunl 17575: peer ns/nr is 1/1
XPRT: tunl 17575: pkt 0/1 is acked by nr 1
DATA: RX: tunl 17575/0: rcv 20 bytes from peer 111.2.19.1, packet ns/nr 1/1 type 0
XPRT: tunl 17575: update nr from 1 to 2
AVP: tunl 17575: SCCCN message decode of 0 bytes started
PROTO: tunl 17575: SCCCN received from peer 8659
FSM: CCE(17575) event SCCCN_ACCEPT in state WAITCTLCONN
FUNC: tunl 17575 up
FSM: CCE(17575) state change: WAITCTLCONN --> ESTABLISHED
XPRT: RX: tunl 17575/0: len=97 ns/nr=2/1, our ns/nr=1/2, peer ns/nr=1/1
XPRT: tunl 17575: peer ns/nr is 2/1
DATA: RX: tunl 17575/0: rcv 97 bytes from peer 111.2.19.1, packet ns/nr 2/1 type 0
XPRT: tunl 17575: update nr from 2 to 3
AVP: tunl 17575: ICRQ message decode of 77 bytes started
AVPDATA: SESSION_ID: id=6245
AVPDATA: CALL_SERIAL_NUMBER: value=3428600023
AVPDATA: BEARER_TYPE: type=0
AVPDATA: CALLED_NUMBER: value=circuit0
AVPDATA: CALLING_NUMBER: value=remote0
PROTO: tunl 17575/0: ICRQ received from peer 8659
17575/28692: creating UNIX pppd context
17575/28692: using ppp profile 'LosAngeles9k'
FSM: LNIC(17575/28692) event ICRQ_ACCEPT in state IDLE
AVP: tunl 17575: building ICRP message, 2 AVPs
PROTO: tunl 17575/28692: sending ICRP to peer 8659/6245
XPRT: tunl 17575: queuing tx packet, type 11, len 28, ns/nr 1/3
XPRT: tunl 17575: update ns to 2
XPRT: tunl 17575: adding packet to ackq, type 11, len 28, ns/nr 1/3
DATA: TX: tunl 17575/6245: send 28 bytes to peer 111.2.19.1, packet ns/nr 1/3 type 11, retry 0
FSM: LNIC(17575/28692) state change: IDLE --> WAITCONNECT
XPRT: RX: tunl 17575/28692: len=186 ns/nr=3/2, our ns/nr=2/3, peer ns/nr=2/1
XPRT: tunl 17575: peer ns/nr is 3/2
XPRT: tunl 17575: pkt 1/3 is acked by nr 2
DATA: RX: tunl 17575/28692: rcv 186 bytes from peer 111.2.19.1, packet ns/nr 3/2 type 0
XPRT: tunl 17575: update nr from 3 to 4
AVP: tunl 17575: ICCN message decode of 166 bytes started
AVPDATA: FRAMING_TYPE: type=1
AVPDATA: TX_CONNECT_SPEED: value=64
AVPDATA: INITIAL_LCP_CONFREQ: value=05 06 3d 87 55 68 01 04 ff fb
AVPDATA: LAST_SENT_LCP_CONFREQ: value=01 04 05 d4 03 05 c2 23 05 05 06 0e 27 d8 69
AVPDATA: LAST_RCVD_LCP_CONFREQ: value=05 06 3d 87 55 68 01 04 ff fb
AVPDATA: PROXY_AUTH_TYPE: value=2
AVPDATA: PROXY_AUTH_NAME: value=andy@openl2tp.org
AVPDATA: PROXY_AUTH_CHALLENGE: value=01 ed 80 6b a6 0b 5d c0 e0 6a 1e 6c 08 e3 b3 b4
AVPDATA: PROXY_AUTH_ID: value=77
AVPDATA: PROXY_AUTH_RSP: value=84 af ce 6c c0 0d a4 a2 c3 bf 79 aa 88 be da 18
AVPDATA: RX_CONNECT_SPEED: value=64
PROTO: tunl 17575/28692: ICCN received from peer 8659
FSM: LNIC(17575/28692) event ICCN_ACCEPT in state WAITCONNECT
17575/28692: starting UNIX pppd
sess 17575/28692: spawned pppd pid=32495
FSM: LNIC(17575/28692) state change: WAITCONNECT --> ESTABLISHED
sess 17575/28692: pppd debug kdebug 7 noipdefault sync refuse-eap refuse-mschap-v2 refuse-mschap refuse-pap require-chap nodetach local auth noaccomp nopcomp nobsdcomp nodeflate nopredictor1 novj novjccomp noendpoint nomp plugin pppol2tp.so plugin openl2tp.so pppol2tp 17 pppol2tp_lns_mode pppol2tp_tunnel_id 17575 pppol2tp_session_id 28692 pppol2tp_debug_mask 15
Plugin pppol2tp.so loaded.
Plugin openl2tp.so loaded.
Enabling LCP snooping
using channel 20
Using interface ppp0
Connect: ppp0 <-->
PPPoL2TP options: lnsmode tid 17575 sid 28692 debugmask 15
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
XPRT: tunl 17575: send zlb ack, ns/nr=2/4
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0xe32110fa>]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup
FSM: LNIC(17575/28692) event CLOSE_REQ in state ESTABLISHED
AVP: tunl 17575: building CDN message, 3 AVPs
PROTO: tunl 17575/28692: sending CDN to peer 8659/6245
XPRT: tunl 17575: queuing tx packet, type 14, len 36, ns/nr 2/4
XPRT: tunl 17575: update ns to 3
XPRT: tunl 17575: adding packet to ackq, type 14, len 36, ns/nr 2/4
DATA: TX: tunl 17575/6245: send 36 bytes to peer 111.2.19.1, packet ns/nr 2/4 type 14, retry 0
17575/28692: stopping unix pppd pid 32495
17575/28692: cleaning UNIX pppd context
FSM: LNIC(17575/28692) state change: ESTABLISHED --> IDLE
XPRT: RX: tunl 17575/0: len=12 ns/nr=4/3, our ns/nr=3/4, peer ns/nr=3/2
XPRT: tunl 17575: zlb ack received: ns/nr=4/3
XPRT: tunl 17575: peer ns/nr is 4/3
XPRT: tunl 17575: pkt 2/4 is acked by nr 3
XPRT: RX: tunl 17575/0: len=82 ns/nr=4/3, our ns/nr=3/4, peer ns/nr=4/3
XPRT: tunl 17575: peer ns/nr is 4/3
DATA: RX: tunl 17575/0: rcv 82 bytes from peer 111.2.19.1, packet ns/nr 4/3 type 0
XPRT: tunl 17575: update nr from 4 to 5
AVP: tunl 17575: STOPCCN message decode of 62 bytes started
AVPDATA: RESULT_CODE: result=1 error=6 msg=No application/session timer expired
AVPDATA: TUNNEL_ID: id=8659
PROTO: tunl 17575: STOPCCN received
FSM: CCE(17575) event STOPCCN in state ESTABLISHED
FUNC: tunl 17575 down
FUNC: tunl 17575: starting cleanup timer
FSM: CCE(17575) state change: ESTABLISHED --> CLOSING
tunl 17575: tunnel close acknowledged by peer
XPRT: tunl 17575: send zlb ack, ns/nr=3/5
FUNC: tunl 17575 deleted
FUNC: tunl 17575: deleting context


Quote:
Fix ppp profile ppp authentication options which seem to have been
broken since 0.17. The auth_pap, auth_chap etc options should
translate into refuse-xxx options to pppd, but these pppd arguments
were not generated properly.

While testing an install for an ISP, it was found that pppd would
always offer EAP authentication when negotiating with its peer,
despite auth_eap=off being set in the ppp profile. It turns out that
some ppp peers (including Cisco!) drop the connection unless the peer
asks for the exactly the same authentication method. Specifically, in
a Cisco, if CHAP is configured, it will drop the connection if the
peer suggests that it can do EAP. To configure pppd to force a
specific authentication method, one of pppd's require-xxx options must
be used. Until now, OpenL2TP has no interface to control pppd's
require-xxx auth options. With this release, if all but one of the ppp
profile's auth_xxx options is disabled, OpenL2TP will now
automatically add the require-xxx pppd auth option for the one auth
option that is enabled. For example, to configure CHAP only, set
auth_chap=yes auth_pap=no auth_mschapv1=no auth_mschapv2=no
auth_eap=no in the ppp profile. This will yield the following pppd
arguments: refuse-pap refuse-mschap refuse-mschap-v2 refuse-eap
require-chap.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group