The Apple Geek

Есть модемы GPRS/EDGE/HSDPA, которые при настройке аутентификации по имени и паролю производят аутентификацию исключительно по CHAP без попыток перейти на PAP.

Например, к таким относится Novatel MC930D. Лог обмена (auth chap MD5, затем auth chap MS-v2, но попытки auth pap нет):

Mon Aug 16 17:49:23 2010 : Connect: ppp0 <--> /dev/cu.wwan
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x452ef417> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x0 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x452ef417> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x2 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x3 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x3 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x4 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x4 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x5 <asyncmap 0x0> <auth chap MD5> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFREJ.
sent [LCP ConfRej id=0x5 <auth chap MD5>]
rcvd [LCP ConfReq id=0x6 <asyncmap 0x0> <magic 0x19cfabf> <pcomp> <accomp>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x6 <asyncmap 0x0> <magic 0x19cfabf> <pcomp> <accomp>]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::0225:bcff:fedc:ddae>]
rcvd [LCP DiscReq id=0x7 magic=0x19cfabf]
rcvd [LCP ProtRej id=0x8 ...]

Другие же модемы, например, Huawei E1690, нормально переходят на PAP после неудачных auth chap MD5 и auth chap MS-v2:

Connect: ppp0 <--> /dev/cu.HUAWEIMobile-Modem
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x57d0479b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <asyncmap 0x0> <auth chap MD5> <magic 0xf247bc> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x0 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x57d0479b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth pap> <magic 0xf247bc> <pcomp> <accomp>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth pap> <magic 0xf247bc> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x57d0479b]
sent [PAP AuthReq id=0x1 user="username@company.com" password=<hidden>]
rcvd [LCP DiscReq id=0x2 magic=0xf247bc]
rcvd [LCP EchoRep id=0x0 magic=0xf247bc c0 23 05 06]
rcvd [PAP AuthAck id=0x1 ""]
PAP authentication succeeded

Через интерфейс решить проблему нельзя. Покопавшись опциях pppd, я нашёл решение – нужно добавить в /etc/ppp/options несколько опций:

$ sudo vim /etc/ppp/options
refuse-chap
refuse-mschap
refuse-mschap-v2

После этого соединение проходит нормально:

Connect: ppp0 <--> /dev/cu.wwan
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x32333354> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x3 <asyncmap 0x0> <auth chap MD5> <magic 0x1a02c32> <pcomp> <accomp>]
lcp_reqci: returning CONFNAK.
sent [LCP ConfNak id=0x3 <auth pap>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x32333354> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x4 <asyncmap 0x0> <auth pap> <magic 0x1a02c32> <pcomp> <accomp>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x4 <asyncmap 0x0> <auth pap> <magic 0x1a02c32> <pcomp> <accomp>]
sent [PAP AuthReq id=0x1 user="username@company.com" password=<hidden>]
rcvd [LCP DiscReq id=0x5 magic=0x1a02c32]
rcvd [PAP AuthAck id=0x1 ""]
PAP authentication succeeded