Stefan Winter wrote:
we're trying to get IKEv2 under Windows 7 going. It can use among others "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common.
I noticed that rlm_mschap can be configured to calculate and send MPPE keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be mostly independent.
Is that something that can easily be added?
Yup.
BTW, a check back with a developer "Martin" from strongswan.org yielded:
"Then I'd assume you are using FreeRADIUS :-).
It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload.
OK.
In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes."
<shrug> src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there are 4 calls to "pairdelete" remove the MPPE keys from the reply. if (handler->request->parent) { pairdelete(&handler->request->reply->vps, ((311 << 16) | 7)); ... } add the "if (handler..." text. It ensures that the MPPE keys are deleted only when the module is being called from inside of a TLS tunnel. I'll put it into 2.1.10, too. Alan DeKok.