VPN Products

Brad Kemp kemp at INDUSRIVER.COM
Fri Feb 11 15:27:19 EST 2000


The problem with 128 bit encryption is that Microsoft was very fuzzy
on what to hand back as the key value. By reading the spec,
you could hand back the unhashed key value or the hashed value.
The Microsoft Radius server does it one way
and Funk did it the other way. Funk has fixed the problem and I believe it is
in the current release.
I seem to remember that Shiva interpreted the spec the same way Funk did,
but I am not sure.

Brad




At 04:42 PM 2/10/00 -0500, Wightman,Andrew wrote:
>Our problems with PPTP and the Contivity come when you start to look at
>authentication between the Contivity and a RADIUS server. Must vendors of
>RADIUS systems (from what I have found) do not implement MS-CHAP (required
>for PPTP) w/ the MPPE attribute (required for the encryption key hash).
>Cisco supports MS-CHAP w/ their Secure ACS - but not with the MPPE
>attributes. Funk supports MS-CHAP w/ MPPE - we are looking at this now, but
>there is a known problem with the Contivity and Funk RADIUS w/ 128-bit PPTP.
>So my suggestion was to use IPSec, but the it was turned down due to
>reported issues with IPSec clients causing problems with hardware because of
>their NDIS layer install.
>
>Anyone care to comment?
>
>
>Andrew

--- -- --
Brad Kemp
Indus River Networks, Inc.                   BradKemp at indusriver.com
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list