eap-mschapv2

indira kolli indkolli at gmail.com
Fri Jan 18 17:09:32 CET 2008


Hi Alan,

     I understand that you know a lot more than i do. Can you point me to
right RFC or draft which tells about the EAP-MSCHAPv2 radius call flow.  We
are trying to establish an IKEv2 tunnel using the EAP-MSCHAPv2
authentication. We are not using EAP-PEAP, so no certificates involved.

    We are following the
"<draft-kamath-pppext-eap-mschapv2-01.txt<http://www3.tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01.txt>>",
RFC 3748, RFC 2869, RFC 3079, RFC 3579. But none of these RFC's talk about
the Radius message flow for the EAP-MSCHAPv2. Do you have a sample trace for
the EAP-MSCHAPv2 radius call flow.

    I will really appericiate if you can point me to the right place with
the call flow.

    The problem I am facing is that how will we have the Session Keys which
are used to generate the Master Shared Key used for the IKEv2 tunnel
establishment. The RFC says that we should get the SEND-KEY and the RECV-KEY
from the AAA server.

    Any help will be greatly appericiated.

Cheers,
Indira.






On Jan 18, 2008 9:35 AM, indira kolli <indkolli at gmail.com> wrote:

> I am doing IKEv2 EAP-MSCHAPv2 radius Passthrough.
>
>
>
> On Jan 18, 2008 1:43 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
> > indira kolli wrote:
> > >      I finally got it working. I missed the reply to the second
> > > access-challenge.
> >
> >  How could you possibly miss that?  If you're using a standard
> > supplicant, that packet should be about 1/10 of a second after the first
> > one.
> >
> > >    One thing I am still not sure is about MPPE keys.
> > >  For us we are using only EAP-MSCHAPv2 without peap.
> > >  The authenticator needs the MPPE keys to authenticate the peer.
> > > But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see
> > the
> > > keys. I see that the keys are generated for MSCHAPv2 but are
> > > deleted before the request is sent.
> >
> >  Perhaps you could try reading my messages.  You were already told that
> > EAP-MSCHAPv2 does not generate the MPPE keys.
> >
> >  Even if you changed the server source code, the AP's wouldn't look for
> > the MPPE keys.  Even if you fixed the AP's, the supplicants wouldn't use
> > encryption for the wireless links.
> >
> >  And you haven't said if you're using this for wireless or wired
> > authentication.
> >
> >  I think you're really not clear on what you want to do, how the
> > equipment works, and how the protocols work.  I suggest spending time
> > reading more AP documentation before asking EAP-MSCHAPv2 questions on
> > this list.  The problem is NOT EAP-MSCHAPv2.  The problem is that you
> > don't know what's going on, and as a result, are expecting that
> > EAP-MSCHAPv2 do things it's not supposed to do.  Trying to "Fix"
> > EAP-MSCHAPv2 is a waste of time.  Find out why your expectations are
> > wrong, and fix them.
> >
> >  Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080118/3e721776/attachment.html>


More information about the Freeradius-Users mailing list