EAP-PEAP MSCHAPv2 with Python Module
I've configured and tested the EAP-PEAP MSCHAPv2 basic example as documented with FreeRADIUS 3.0.12 using a Windows 10 supplicant configured for WPA2 Enterprise. Instead of using the FreeRADIUS users file for authentication, I want to use a custom Python module in the inner-tunnel (I presume) to authenticate the user with a REST API. 1) How do I know in the Python module when to get in the middle of the multi-step eap authentication without causing problems? 2) How do I get the User-Password? I've seen posts that suggest the User-Password might be sent encrypted in the EAP-Message. If that's the case: 3) How do I know how to decrypt the EAP-Message? 4) Anything else I need to know? Thanks, Gary
On Wed, 2017-11-08 at 16:53 -0700, Gary Gwin wrote:
I've configured and tested the EAP-PEAP MSCHAPv2 basic example as documented with FreeRADIUS 3.0.12 using a Windows 10 supplicant configured for WPA2 Enterprise.
OK...
Instead of using the FreeRADIUS users file for authentication, I want to use a custom Python module in the inner-tunnel (I presume) to authenticate the user with a REST API.
Have you looked at rlm_rest? It might be a better solution. What information does the rest API give you? Or what are you expecting to send to it to check?
1) How do I know in the Python module when to get in the middle of the multi-step eap authentication without causing problems?
I don't understand what this means. If you call rlm_python in the the authenticate section of the inner- tunnel, then it'll be at the right time to do the authentication.
2) How do I get the User-Password?
You can't.
I've seen posts that suggest the User-Password might be sent encrypted in the EAP-Message. If that's the case:
3) How do I know how to decrypt the EAP-Message?
You can't get the plain text password from the EAP-Message.
4) Anything else I need to know?
You need the password in plaintext on the RADIUS server, or the NT hash of it. Nothing else will be able to authenticate MSCHAP requests. See http://deployingradius.com/documents/protocols/compatibility.html -- Matthew
Thanks for the fast response.
Instead of using the FreeRADIUS users file for authentication, I want to use a custom Python module in the inner-tunnel (I presume) to authenticate the user with a REST API.
Have you looked at rlm_rest? It might be a better solution.
I had not, interesting and thanks for reference. It doesn't look like it would work for me as I need to get/manage access and refresh tokens and have custom needs.
What information does the rest API give you? Or what are you expecting to send to it to check?
The API gets dynamic IPs and validates passwords, otp, and NT hashes.
1) How do I know in the Python module when to get in the middle of the multi-step eap authentication without causing problems?
I don't understand what this means.
If you call rlm_python in the the authenticate section of the inner- tunnel, then it'll be at the right time to do the authentication.
You understood ;-) Read that I should be careful not to shortcircuit the EAP negotiations.
2) How do I get the User-Password?
You can't.
Understood. What I'm really asking is how I can get access from the inner-tunnel to the NT hash? I don't see it passed in. Just the User-Name and EAP-Message. If it is encrypted in the EAP-Message payload, how do I decrypt? Thanks, Gary
On Wed, 2017-11-08 at 19:55 -0700, Gary Gwin wrote:
I had not, interesting and thanks for reference. It doesn't look like it would work for me as I need to get/manage access and refresh tokens and have custom needs.
Well, you can do a lot in unlang, but you know it's there to have a look now.
What information does the rest API give you? Or what are you expecting to send to it to check?
The API gets dynamic IPs and validates passwords, otp, and NT hashes.
Gives you the NT hash?
2) How do I get the User-Password?
You can't.
Understood.
What I'm really asking is how I can get access from the inner-tunnel to the NT hash?
You ask your API to give it to you.
I don't see it passed in. Just the User-Name and EAP-Message.
The MSCHAP has the Challenge and Response, not the NT hash. That's what you store in your database. Or the cleartext password, which you can also use. So you get the NT hash from your database using your API and put it in the NT-Password attribute, then call mschap to do the authentication. -- Matthew
On Nov 8, 2017, at 9:55 PM, Gary Gwin <garygwin@gmail.com> wrote:
What I'm really asking is how I can get access from the inner-tunnel to the NT hash?
You can't. It doesn't exist.
I don't see it passed in. Just the User-Name and EAP-Message.
If it is encrypted in the EAP-Message payload, how do I decrypt?
It's not encrypted in EAP-Message. It doesn't exist. This is really quite simple. If FreeRADIUS decodes information from a RADIUS packet or EAP-Message, it shows that information to you. If there's no information shown... there's no information to decode. Perhaps you could explain why you think you need to see the NT hash. Alan DeKok.
Perhaps you could explain why you think you need to see the NT hash.
I'm enlightened and don't think I need it anymore ;-) Here's pseudocode for my Python authorize method for the inner-tunnel: def authorize(RAD_REQUEST): nt_hash = get_user_nt_hash(user_name) config = ( ('NT-Password', nt_hash), ('Auth-Type', ':=', 'MS-CHAP'), ) result = radiusd.RLM_MODULE_OK return (result, (), config) Which is working, the user authenticates, but I see this error: (8) Found Auth-Type = MS-CHAP (8) Found Auth-Type = eap (8) ERROR: Warning: Found 2 auth-types on request for user 'testing' That doesn't seem to cause a problem, but is there something that should be done to suppress the error? Thanks, Gary On Thu, Nov 9, 2017 at 6:09 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 8, 2017, at 9:55 PM, Gary Gwin <garygwin@gmail.com> wrote:
What I'm really asking is how I can get access from the inner-tunnel to the NT hash?
You can't. It doesn't exist.
I don't see it passed in. Just the User-Name and EAP-Message.
If it is encrypted in the EAP-Message payload, how do I decrypt?
It's not encrypted in EAP-Message. It doesn't exist.
This is really quite simple. If FreeRADIUS decodes information from a RADIUS packet or EAP-Message, it shows that information to you. If there's no information shown... there's no information to decode.
Perhaps you could explain why you think you need to see the NT hash.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 9, 2017, at 3:45 PM, Gary Gwin <garygwin@gmail.com> wrote:
Perhaps you could explain why you think you need to see the NT hash.
I'm enlightened and don't think I need it anymore ;-)
Good.
Here's pseudocode for my Python authorize method for the inner-tunnel:
def authorize(RAD_REQUEST): nt_hash = get_user_nt_hash(user_name) config = ( ('NT-Password', nt_hash), ('Auth-Type', ':=', 'MS-CHAP'), )
Don't do that. Set the NT password. Don't set Auth-Type. The server can figure it out.
Which is working, the user authenticates, but I see this error:
(8) Found Auth-Type = MS-CHAP (8) Found Auth-Type = eap (8) ERROR: Warning: Found 2 auth-types on request for user 'testing'
That doesn't seem to cause a problem, but is there something that should be done to suppress the error?
Don't create the bad configuration which results in the error. Alan DeKok.
participants (3)
-
Alan DeKok -
Gary Gwin -
Matthew Newton