KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q282799: MPPE Attribute Required When Using Radius Server with RRAS

Article: Q282799
Product(s): Microsoft Windows NT
Version(s): 4.0
Operating System(s): 
Keyword(s): kbenv kbtool tslic_tslic
Last Modified: 26-OCT-2001

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Server version 4.0 
- Microsoft Windows NT version 4.0 Option Pack 
-------------------------------------------------------------------------------

SUMMARY
=======

When you are using a Radius server for authentication with Routing and Remote
Access, the Radius server must return the Microsoft Point-to-Point Encryption
(MPPE) keys.

MORE INFORMATION
================

Returning the MPPE attribute is not a requirement as defined in Request for
Comments (RFC) 2548 section 2.4. However, Windows NT 4 Routing and Remote Access
will terminate the link when the MPPE attribute is missing in the Radius
response.

When RRAS terminates the link, receive the following error message in the event
log:

  Event ID 20073
  The following error occurred in the point to point protocol module on port
  [PORTNAME]. The parameter is incorrect.

This only applies when you are using MS-CHAP as authentication protocol. In
Windows 2000, the RAS server no longer terminates the connection when these keys
are not available. However, MPPE is negotiated in the PPP Compression Control
Protocol (CCP). Radius has no way of knowing if MPPE has been negotiated. If it
has been agreed upon, but the encryption keys are not included in the Radius
response, encryption does not work.

If either side requires encryption, the connection will fail entirely. Because of
this, it is recommended for Radius servers that support MS-CHAP always include
the MPPE attribute.

Additional query words:

======================================================================
Keywords          : kbenv kbtool tslic_tslic 
Technology        : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNT400OptionPack
Version           : :4.0
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.