Re: eap-mschapv2

["indira kolli" <indkolli@gmail.com>]

Hi Alan,

 

     I understand that you know a lot more than i do. Can you point me to right RFC or draft which tells about the EAP-MSCHAPv2 radius call flow.  We are trying to establish an IKEv2 tunnel using the EAP-MSCHAPv2 authentication. We are not using EAP-PEAP, so no certificates involved.

 

    We are following the "<draft-kamath-pppext-eap-mschapv2-01.txt>", RFC 3748, RFC 2869, RFC 3079, RFC 3579. But none of these RFC's talk about the Radius message flow for the EAP-MSCHAPv2. Do you have a sample trace for the EAP-MSCHAPv2 radius call flow.

 

    I will really appericiate if you can point me to the right place with the call flow.

 

    The problem I am facing is that how will we have the Session Keys which are used to generate the Master Shared Key used for the IKEv2 tunnel establishment. The RFC says that we should get the SEND-KEY and the RECV-KEY from the AAA server.

 

    Any help will be greatly appericiated.

 

Cheers,

Indira.

 

 

 

 

On Jan 18, 2008 9:35 AM, indira kolli <indkolli@gmail.com> wrote:

I am doing IKEv2 EAP-MSCHAPv2 radius Passthrough.

 

On Jan 18, 2008 1:43 AM, Alan DeKok <aland@deployingradius.com> wrote:

indira kolli wrote:
>      I finally got it working. I missed the reply to the second
> access-challenge.

 How could you possibly miss that?  If you're using a standard
supplicant, that packet should be about 1/10 of a second after the first
one.

>    One thing I am still not sure is about MPPE keys.
>  For us we are using only EAP-MSCHAPv2 without peap.
>  The authenticator needs the MPPE keys to authenticate the peer.
> But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see the
> keys. I see that the keys are generated for MSCHAPv2 but are
> deleted before the request is sent.

 Perhaps you could try reading my messages.  You were already told that
EAP-MSCHAPv2 does not generate the MPPE keys.

 Even if you changed the server source code, the AP's wouldn't look for
the MPPE keys.  Even if you fixed the AP's, the supplicants wouldn't use
encryption for the wireless links.

 And you haven't said if you're using this for wireless or wired
authentication.

 I think you're really not clear on what you want to do, how the
equipment works, and how the protocols work.  I suggest spending time
reading more AP documentation before asking EAP-MSCHAPv2 questions on
this list.  The problem is NOT EAP-MSCHAPv2.  The problem is that you
don't know what's going on, and as a result, are expecting that
EAP-MSCHAPv2 do things it's not supposed to do.  Trying to "Fix"
EAP-MSCHAPv2 is a waste of time.  Find out why your expectations are
wrong, and fix them.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html