Communigate with PEAP-MSCHAPv2
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 28 16:32:36 CEST 2011
On 28 Sep 2011, at 16:10, Rosario Lumia wrote:
>
>
> 2011/9/28 Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>
> Sorry, do you mean I have to store in my mailserver cleartext or Md4 passoword?
I'm saying that in order to do PEAP/MSHCHAPv2 you have to have access to the Cleartext-Password or NT-Password, or be able to proxy the MACHAPv2 data to something else that has access to to the Cleartext-Password or NT-Password attribute (Usually Active Directory).
If the CommuniGate box stores this information or lets you populate this information then execute a query to populate control:Cleartext-Password or control:NT-Password in the authorize section of the inner-server after the call to the EAP module.
The reason why TTLS-PAP is working, is because the server has a cleartext version of the password from the PAP tunnel which it can send to the CommuniGate box or compare with a value from the CommuniGate box. You can't do this with PEAP because the password is not sent in a reversibly encrypted format.
The google description for communigate.com mentions RADIUS, I don't have time to go digging through the manuals, but you might want to check if it'd be possible to proxy RADIUS/EAP authentication to the box, and then just make policy decisions with FreeRADIUS.
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110928/54f63427/attachment.html>
More information about the Freeradius-Users
mailing list