On 28 Sep 2011, at 16:10, Rosario Lumia wrote:



2011/9/28 Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Sorry, do you mean I have to store in my mailserver cleartext or Md4 passoword?

I'm saying that in order to do PEAP/MSHCHAPv2 you have to have access to the Cleartext-Password or NT-Password, or be able to proxy the MACHAPv2 data to something else that has access to to the Cleartext-Password or NT-Password attribute (Usually Active Directory).

If the CommuniGate box stores this information or lets you populate this information then execute a query to populate control:Cleartext-Password or control:NT-Password in the authorize section of the inner-server after the call to the EAP module.

The reason why TTLS-PAP is working, is because the server has a cleartext version of the password from the PAP tunnel which it can send to the CommuniGate box or compare with a value from the CommuniGate box. You can't do this with PEAP because the password is not sent in a reversibly encrypted format.

The google description for communigate.com mentions RADIUS, I don't have time to go digging through the manuals, but you might want to check if it'd be possible to proxy RADIUS/EAP authentication to the box, and then just make policy decisions with FreeRADIUS.

-Arran

Arran Cudbard-Bell
a.cudbardb@freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !