EAP-MSCHAPv2 and MPPE key
Hello, we're trying to get IKEv2 under Windows 7 going. It can use among others "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS. While auth succeeds, FreeRADIUS doesn't send MPPE keys back, and Win 7 then rejects the session. I noticed that rlm_mschap can be configured to calculate and send MPPE keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be mostly independent. Is that something that can easily be added? BTW, a check back with a developer "Martin" from strongswan.org yielded: "Then I'd assume you are using FreeRADIUS :-). It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload. In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes." Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Stefan Winter wrote:
we're trying to get IKEv2 under Windows 7 going. It can use among others "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common.
I noticed that rlm_mschap can be configured to calculate and send MPPE keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be mostly independent.
Is that something that can easily be added?
Yup.
BTW, a check back with a developer "Martin" from strongswan.org yielded:
"Then I'd assume you are using FreeRADIUS :-).
It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload.
OK.
In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes."
<shrug> src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there are 4 calls to "pairdelete" remove the MPPE keys from the reply. if (handler->request->parent) { pairdelete(&handler->request->reply->vps, ((311 << 16) | 7)); ... } add the "if (handler..." text. It ensures that the MPPE keys are deleted only when the module is being called from inside of a TLS tunnel. I'll put it into 2.1.10, too. Alan DeKok.
Hi,
It's slightly more complicated than that... a better fix is in git, branch v2.1.x.
The git fix works like a charm! Thanks a for a fix with a time-to-fix of <1 hour :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Hi, I want to send RADIUS Accounting Messages to another RADIUS Server, depending on some contents of a Packet. 'a Packet' in this context might be an Access or an Accounting Packet. The intended Flow: Packet comes in ... - for Access type, check if user might be authenticated - if OK, try to decide to send an Accounting packet to a Server on some attributes (in my case, VSA from downstream RADIUS Proxy Server) - (possibly) don't care about the answer - for Access type: accept/reject to Client - for Accounting type: ACK to Client As far as I understood, the proxy module does - (only) proxy based on realm - in proxy module, normal local Logfiles won't be used What would be a good solution for this? Thanks Stefan
participants (3)
-
Alan DeKok -
Stefan A. -
Stefan Winter