oreilly.comSafari Books Online.Conferences.


Troubleshooting ISP Connection Problems
Pages: 1, 2, 3, 4

If both your user name and your password got sent (both show up on the lines in /var/log/ppp) but you got a login rejection, check to make sure that you have the right password and user name for the remote system.

If it logged you in but again you got a message saying the 7 bit is all zero, your ISP is expecting something else from you after you logged in. This is most likely a ppp or a pppd command. Insert a ppp or "" pppd at the end of the chat string. Sometimes ISPs put in a request "Do you want PPP? y/n". In that case, put in "PPP? y/n" "\dy" at the end of the chat script instead. (The \d tells chat to wait one second to make sure that the remote computer is ready to receive your "y". (Try one of these. If this does not work, the lines in /var/log/ppp from chat will give you a clue as to what was expected).

Occasionally, your ISP will want both login authorization and PAP or CHAP authorization. You will see this by the <auth pap> or <auth chap ...> in the pppd lines in /var/log/ppp file after you have logged in. In this case, go to the PAP/CHAP section and follow those directions as well.

If, in the var/log/ppp file you see a line giving your local and the remote IP address, you are connected and should skip the next section on PAP and CHAP.


If in one of the lines in /var/log/ppp, there is the phrase <auth pap> (<auth chap ...>), this means that the remote system wants to use PAP (CHAP) authentication. Let me first explain the types of CHAP authentication.

Types of CHAP

With CHAP, there is an extra number after the <auth chap ..>, the dots indicate which type of CHAP authentication they are using (Yes, there are different types.). The 05 one (or "md5") is standard, and your system will have no problem with it. The types 80 (also called "m$oft") and 81 are special Microsoft types. Your pppd will state in /var/log/ppp if it does not support them with error messages like -- unknown digest type or Unknown CHAP code 80 received..

Your pppd, certainly in the 2.3.x series, can and may already support type 80 (m$oft). In this case you are OK. The only thing to beware of is that the username in chap-secrets file and in the user option to pppd may need the special domain addition.

Similarly if you see something like

.... < auth 0xc027 01 ....> ...

in one of the lines from the far end, they want a patented version of PAP called Shiva PAP (or SPAP). Because of those patents, Linux does not support it. This is probably an NT server, and should also accept other versions of authentications if properly set up (a big if).

If your version of pppd does not support type 80 (m$oft), it may be possible to recompile your pppd from source to support the type 80 chap. Note that most distributions have been compiled to support this as delivered. I leave recompiling the pppd source as an exercise to you.

Read the file README.MSCHAP80 from the pppd source for hints. Also see the PPP-NT how-to file

Often a server will first try to see if you are willing to use the CHAP 80. But if your system does not agree, they will fall back to asking for either CHAP 05 (md5) or PAP.

Finally note that there are two separate type 80 (m$oft) CHAP implementations. The older, obsolete standard is Microsoft's LANMAN standard. Microsoft's newer is the default NT standard. If your ISP uses the older standard -- you can only find this out from them -- and your pppd has been compiled to support type 80 and the MSLANMAN option, then you can persuade pppd to use the older one by adding the ms-lanman option to the pppd command.]

If your ISP uses type 81 and refuses to use anything else, yell at them for using this new Microsoft non-standard. If they refuse to use anything else (such as CHAP 05 or CHAP md5) then note that efforts are being made to also support MSChap 81 in Linux. There is a patch for pppd 2.3.8 at m/vpn/download_pptp.html (see the PPP2.3.8 Patch) which is part of the VPN for Linux PPTP Server project. At present, this is still beta level software.

Setting up PAP/CHAP

You now need to make sure that the remote system gets the proper PAP/CHAP authentication. There are two steps here.

First, edit the file /etc/ppp/pap-secrets (/etc/ppp/chap-secrets).

You will now add a line to this file. The first entry in the line is your user name on the remote system. The second is a *. The third is your password and the fourth can also be a *. Thus there will be a line like

<yourusername>     *     <yourpassword>        *

For example,

unruh                *       dontyouwish             *

(This means that this line is the PAP (CHAP) secret for user <yourusername> on any remote system (*) and <yourpassword> is that secret. Also the connection can use any IP address -- the second *.)

The second entry (first star) may have to be replaced by the name of the remote system if your ISP told you to do so or you have accounts on many ISPs. The last star may have to be removed. But this line as written should work for a single ISP.

Pages: 1, 2, 3, 4

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: