If both your user name and your password got sent (both show up on the lines in
/var/log/ppp) but you got a login rejection, check to make sure that you have the right password and user name for the remote system.
If it logged you in but again you got a message saying the 7 bit is all zero, your ISP is expecting something else from you after you logged in. This is most likely a
ppp or a
pppd command. Insert a
"" pppd at the end of the chat string. Sometimes ISPs put in a request "
Do you want PPP? y/n". In that case, put in "
PPP? y/n" "\dy" at the end of the chat script instead. (The
\d tells chat to wait one second to make sure that the remote computer is ready to receive your "y". (Try one of these. If this does not work, the lines in
/var/log/ppp from chat will give you a clue as to what was expected).
Occasionally, your ISP will want both login authorization and PAP or CHAP authorization. You will see this by the
<auth pap> or
<auth chap ...> in the
pppd lines in
/var/log/ppp file after you have logged in. In this case, go to the PAP/CHAP section and follow those directions as well.
If, in the
var/log/ppp file you see a line giving your local and the remote IP address, you are connected and should skip the next section on PAP and CHAP.
If in one of the lines in
/var/log/ppp, there is the phrase
<auth pap> (
<auth chap ...>), this means that the remote system wants to use PAP (CHAP) authentication. Let me first explain the types of CHAP authentication.
Types of CHAP
With CHAP, there is an extra number after the
..>, the dots indicate which type of CHAP authentication they are using (Yes, there are different types.). The 05 one (or "md5") is standard, and your system will have no problem with it. The types 80 (also called "m$oft") and 81 are special Microsoft types. Your
pppd will state in
/var/log/ppp if it does not support them with error messages like --
unknown digest type or
Unknown CHAP code 80 received..
pppd, certainly in the 2.3.x series, can and may already support type 80 (m$oft). In this case you are OK. The only thing to beware of is that the username in
chap-secrets file and in the user option to
pppd may need the special domain addition.
Similarly if you see something like
.... < auth 0xc027 01 ....> ...
in one of the lines from the far end, they want a patented version of PAP called Shiva PAP (or SPAP). Because of those patents, Linux does not support it. This is probably an NT server, and should also accept other versions of authentications if properly set up (a big if).
If your version of
pppd does not support type 80 (m$oft), it may be possible to recompile your
pppd from source to support the type 80 chap. Note that most distributions have been compiled to support this as delivered. I leave recompiling the
pppd source as an exercise to you.
Often a server will first try to see if you are willing to use the CHAP 80. But if your system does not agree, they will fall back to asking for either CHAP 05 (md5) or PAP.
Finally note that there are two separate type 80 (m$oft) CHAP implementations. The older, obsolete standard is Microsoft's LANMAN standard. Microsoft's newer is the default NT standard. If your ISP uses the older standard -- you can only find this out from them -- and your
pppd has been compiled to support type 80 and the MSLANMAN option, then you can persuade
pppd to use the older one by adding the
ms-lanman option to the
If your ISP uses type 81 and refuses to use anything else, yell at them for using this new Microsoft non-standard. If they refuse to use anything else (such as CHAP 05 or CHAP md5) then note that efforts are being made to also support MSChap 81 in Linux. There is a patch for pppd 2.3.8 at http://www.moretonbay.co m/vpn/download_pptp.html (see the PPP2.3.8 Patch) which is part of the VPN for Linux PPTP Server project. At present, this is still beta level software.
Setting up PAP/CHAP
You now need to make sure that the remote system gets the proper PAP/CHAP authentication. There are two steps here.
First, edit the file
You will now add a line to this file. The first entry in the line is your user name on the remote system. The second is a
*. The third is your password and the fourth can also be a
*. Thus there will be a line like
<yourusername> * <yourpassword> *
unruh * dontyouwish *
(This means that this line is the PAP (CHAP) secret for user
<yourusername> on any remote system (
<yourpassword> is that secret. Also the connection can use any IP address -- the second
The second entry (first star) may have to be replaced by the name of the remote system if your ISP told you to do so or you have accounts on many ISPs. The last star may have to be removed. But this line as written should work for a single ISP.