On 2016-09-23 10:58, Alan DeKok wrote:
On Sep 23, 2016, at 12:27 PM, Laurens Vets <laurens@daemon.be> wrote:
I've got FreeRADIUS working with both OpenVPN (Android app + Windows) and StrongSwan (Android app). Authentication method used is eap-gtc with SSHA2 passwords. This all works.
I'm now trying to integrate macOS and iOS clients as well, but I'm having a bit of a problem here. When either client sets up a connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request, which obviously doesn't work with SSHA2 passwords.
Is there a way to either translate or proxy this MSCHAPv2 request into for instance an EAP-GTC request
It's impossible.
http://deployingradius.com/documents/protocols/compatibility.html
or is there a way to force the client to not use MSCHAPv2?
Update the client configuration. There is nothing you can do to FreeRADIUS which will change the client.
Thank you for your quick response! The clients are macOS Sierra and iOS 10, so it will be a bit difficult to update... What would be the best way to handle user passwords in this scenario? What I'm trying to achieve is a safe password storage/management, i.e. if the userdb gets stolen. Clearly cleartext password and NT hash are not sufficient in this situation.