Microsoft KB Archive/282799

= MPPE Attribute Is Required When You Are Using Radius Server with RRAS =

Article ID: 282799

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT version 4.0 Option Pack

-



This article was previously published under Q282799



SUMMARY
When you are using a Radius server for authentication with Routing and Remote Access, the Radius server must return the Microsoft Point-to-Point Encryption (MPPE) keys.



MORE INFORMATION
Returning the MPPE attribute is not a requirement as defined in Request for Comments (RFC) 2548 section 2.4. However, Windows NT 4 Routing and Remote Access will terminate the link when the MPPE attribute is missing in the Radius response.

When RRAS terminates the link, receive the following error message in the event log:

Event ID 20073

The following error occurred in the point to point protocol module on port [PORTNAME]. The parameter is incorrect.

This only applies when you are using MS-CHAP as authentication protocol. In Windows 2000, the RAS server no longer terminates the connection when these keys are not available. However, MPPE is negotiated in the PPP Compression Control Protocol (CCP). Radius has no way of knowing if MPPE has been negotiated. If it has been agreed upon, but the encryption keys are not included in the Radius response, encryption does not work.

If either side requires encryption, the connection will fail entirely. Because of this, it is recommended for Radius servers that support MS-CHAP always include the MPPE attribute.

Keywords: kbenv kbinfo KB282799

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.