RE: MPPE with PPTP - external module (P K)
Hi Alan, How can I do that multiOTP either supply the NT-Password to FreeRADIUS (the best option for me), or how to supply the derived attributes MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc. directly. As multiOTP is doing two factor authentication, the NT-Password is not sensitive, as a new is created each time. I already fixed that with TeKRADIUS by supplying the clear one time password back to TekRADIUS. Regards, Andre
P K wrote:
VPN works fine with CHAP & MSCHAP with multiotp. The trouble is encryption (PPTP with MPPE). When encryption is selected by the user, VPN fails. The problem is that radius will not send the required MPPE responses(MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc.) to NAS.
Because the multiotp program isn't supplying them to FreeRADIUS.
I note that mschap module has options like use_mppe, require_encryption etc.. How can I get radius to send those when I'm using multiotp module to perform chap/mschap so that PPTP with MPPE works?
Make the multiotp program supply them to FreeRADIUS.
The keys are derived from the NT-Password, and the MS-CHAP information. Since FreeRADIUS doesn't have the NT-Password, it can't derive the keys.
Alan DeKok.
Hi Alan, I guess what Andre is asking is: 1. Is there any way he could make changes to multiOTP so that it passes the NT Password back to freeradius so that freeradius creates the mppe stuff (MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc) and sends to NAS? Is yes then what is the parameter name that freeradius will need to the mppe bit? If not then, 2. Am I correct in understanding that multiOTP (when executed using exec) needs to send MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc as output to freeradius? RFC2548 describes the process to create these keys. (1) would be simpler - I believe that's the approach he has taken with tekradius successfully. Thanks. On 2 April 2014 15:21, Alan DeKok <aland@deployingradius.com> wrote:
S y s C o / developer wrote:
How can I do that multiOTP
Ask the MultiOTP people. We didn't write that software. I know nothing about it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
P K wrote:
I guess what Andre is asking is:
1. Is there any way he could make changes to multiOTP so that it passes the NT Password back to freeradius so that freeradius creates the mppe stuff (MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc) and sends to NAS? Is yes then what is the parameter name that freeradius will need to the mppe bit?
Yes. The mschap program already does this using ntlm_auth. So... you make MultiOTP behave the same as ntlm_auth.
If not then, 2. Am I correct in understanding that multiOTP (when executed using exec) needs to send MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc as output to freeradius? RFC2548 describes the process to create these keys.
That won't work for a number of reasons. Alan DeKok.
Thanks Alan. I understand now. On 4 April 2014 13:30, Alan DeKok <aland@deployingradius.com> wrote:
P K wrote:
I guess what Andre is asking is:
1. Is there any way he could make changes to multiOTP so that it passes the NT Password back to freeradius so that freeradius creates the mppe stuff (MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc) and sends to NAS? Is yes then what is the parameter name that freeradius will need to the mppe bit?
Yes. The mschap program already does this using ntlm_auth. So... you make MultiOTP behave the same as ntlm_auth.
If not then, 2. Am I correct in understanding that multiOTP (when executed using exec) needs to send MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc as output to freeradius? RFC2548 describes the process to create these keys.
That won't work for a number of reasons.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan & Andre. Andre has shipped 4.2.4.1 version of multiotp which behaves like ntlm_auth (request-nt-key) and returns NT_KEY. I've tested this and it works perfectly on VPN (PPTP + MPPE). radtest shows the MPPE fields being returned. I'll summarise the config for people who may be looking for the solution in future: Summary: Since I use the same radius server for various NAS and different protocols, I configured to operate on IP Address of NAS. 1. Create module/multiotp with the following contents: exec multiotp { wait = yes input_pairs = request output_pairs = reply program = "/path/to/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}" shell_escape = yes } 2. Copy module/mschap to module/multiotpmschap. Change the following line in multiotpmschap: "mschap {" -----> "mschap multiotpmschap {" Also change ntlm_auth variable: ntlm_auth = "/path/to/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}" 3. Change sites-available/default Make sure this line is anywhere below "mschap" in Authorize section: # Change 172.17.17.17 to your NAS IP if (NAS-IP-Address =~ /172\.17\.17\.17/i) { if (control:Auth-Type == 'MS-CHAP') { update control { Auth-Type := multiotpmschap } } else { update control { Auth-Type := multiotp } } } So effectively, if NAS is 172.17,17,17 and Auth-Type is set to MS-CHAP (by mschap module) - we set the Auth-Type to multiotpmschap. Else - for chap and pap, we use multiotp. 4. Finally add this in Authenticate section Auth-Type multiotp { multiotp } Auth-Type multiotpmschap { multiotpmschap } Test with radtest: ----------------- radtest -t mschap MYUSER MYMOTPPASSWD localhost 10 MYRADIUSPASSWD -1 172.17.17.17 Sending Access-Request of id 19 to 127.0.0.1 port 1812 User-Name = "MYUSER" NAS-IP-Address = 172.17.17.17 NAS-Port = 10 Framed-Protocol = PPP MS-CHAP-Challenge = 0xc90c5f25c89f571b MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fde990c33e7e7ab22531fb74d2176006423f992ef6372c53 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=19, length=84 MS-CHAP-MPPE-Keys = 0x00000000000000005d6292d8bd881a63d8e05973b517da5c0000000000000000 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000006 Note the MPPE keys being returned. PS: Step 2 & 3 is required if you want to operate on multiple NAS and change behaviour. If you want to use multiotp for all mschap regardless of NAS then one can simply enable ntlm_auth to use multiotp directly. No need to make copy. Hope this helps someone. Thanks again! On 4 April 2014 14:05, P K <getpkme@gmail.com> wrote:
Thanks Alan. I understand now.
On 4 April 2014 13:30, Alan DeKok <aland@deployingradius.com> wrote:
P K wrote:
I guess what Andre is asking is:
1. Is there any way he could make changes to multiOTP so that it passes the NT Password back to freeradius so that freeradius creates the mppe stuff (MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc) and sends to NAS? Is yes then what is the parameter name that freeradius will need to the mppe bit?
Yes. The mschap program already does this using ntlm_auth. So... you make MultiOTP behave the same as ntlm_auth.
If not then, 2. Am I correct in understanding that multiOTP (when executed using exec) needs to send MS-MPPE-Recv-Key, MS-MPPE-Send-Key etc as output to freeradius? RFC2548 describes the process to create these keys.
That won't work for a number of reasons.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
P K -
S y s C o / developer