MPPE Attribute Is Required When You Are Using Radius Server with RRAS (282799)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT version 4.0 Option Pack
This article was previously published under Q282799

SUMMARY

When you are using a Radius server for authentication with Routing and Remote Access, the Radius server must return the Microsoft Point-to-Point Encryption (MPPE) keys.

MORE INFORMATION

Returning the MPPE attribute is not a requirement as defined in Request for Comments (RFC) 2548 section 2.4. However, Windows NT 4 Routing and Remote Access will terminate the link when the MPPE attribute is missing in the Radius response.

When RRAS terminates the link, receive the following error message in the event log:
Event ID 20073
The following error occurred in the point to point protocol module on port [PORTNAME]. The parameter is incorrect.
This only applies when you are using MS-CHAP as authentication protocol. In Windows 2000, the RAS server no longer terminates the connection when these keys are not available. However, MPPE is negotiated in the PPP Compression Control Protocol (CCP). Radius has no way of knowing if MPPE has been negotiated. If it has been agreed upon, but the encryption keys are not included in the Radius response, encryption does not work.

If either side requires encryption, the connection will fail entirely. Because of this, it is recommended for Radius servers that support MS-CHAP always include the MPPE attribute.
Modification Type:MajorLast Reviewed:10/26/2001
Keywords:kbenv kbinfo KB282799
©2002 Microsoft Corporation. All rights reserved.