Translate authentication requests
Hello list, I've got FreeRADIUS working with both OpenVPN (Android app + Windows) and StrongSwan (Android app). Authentication method used is eap-gtc with SSHA2 passwords. This all works. I'm now trying to integrate macOS and iOS clients as well, but I'm having a bit of a problem here. When either client sets up a connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request, which obviously doesn't work with SSHA2 passwords. Is there a way to either translate or proxy this MSCHAPv2 request into for instance an EAP-GTC request or is there a way to force the client to not use MSCHAPv2?
On Sep 23, 2016, at 12:27 PM, Laurens Vets <laurens@daemon.be> wrote:
I've got FreeRADIUS working with both OpenVPN (Android app + Windows) and StrongSwan (Android app). Authentication method used is eap-gtc with SSHA2 passwords. This all works.
I'm now trying to integrate macOS and iOS clients as well, but I'm having a bit of a problem here. When either client sets up a connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request, which obviously doesn't work with SSHA2 passwords.
Is there a way to either translate or proxy this MSCHAPv2 request into for instance an EAP-GTC request
It's impossible. http://deployingradius.com/documents/protocols/compatibility.html
or is there a way to force the client to not use MSCHAPv2?
Update the client configuration. There is nothing you can do to FreeRADIUS which will change the client. Alan DeKok.
On 2016-09-23 10:58, Alan DeKok wrote:
On Sep 23, 2016, at 12:27 PM, Laurens Vets <laurens@daemon.be> wrote:
I've got FreeRADIUS working with both OpenVPN (Android app + Windows) and StrongSwan (Android app). Authentication method used is eap-gtc with SSHA2 passwords. This all works.
I'm now trying to integrate macOS and iOS clients as well, but I'm having a bit of a problem here. When either client sets up a connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request, which obviously doesn't work with SSHA2 passwords.
Is there a way to either translate or proxy this MSCHAPv2 request into for instance an EAP-GTC request
It's impossible.
http://deployingradius.com/documents/protocols/compatibility.html
or is there a way to force the client to not use MSCHAPv2?
Update the client configuration. There is nothing you can do to FreeRADIUS which will change the client.
Thank you for your quick response! The clients are macOS Sierra and iOS 10, so it will be a bit difficult to update... What would be the best way to handle user passwords in this scenario? What I'm trying to achieve is a safe password storage/management, i.e. if the userdb gets stolen. Clearly cleartext password and NT hash are not sufficient in this situation.
Hi,
What would be the best way to handle user passwords in this scenario? What I'm trying to achieve is a safe password storage/management, i.e. if the userdb gets stolen. Clearly cleartext password and NT hash are not sufficient in this situation.
use certs instead for the authentication? alan
On Sep 23, 2016, at 2:45 PM, Laurens Vets <laurens@daemon.be> wrote:
Thank you for your quick response! The clients are macOS Sierra and iOS 10, so it will be a bit difficult to update...
Yes,
What would be the best way to handle user passwords in this scenario?
Use clear-text passwords.
What I'm trying to achieve is a safe password storage/management, i.e. if the userdb gets stolen. Clearly cleartext password and NT hash are not sufficient in this situation.
a) use clear-text passwords, and keep your database secure b) use EAP-TLS, and client certificates, with no passwords Alan DeKok.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Laurens Vets