Hi, We have the following setup: 1. Linux servers using pam_radius module (which only supports PAP) for user authentication 2. NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2 Before I potentially waste too much time on something impossible - can FreeRADIUS be configured to accept incoming PAP requests, and then proxy them to NPS using PEAP-MSCHAP-V2? Thanks, Xand -- Xand Meaden | Senior Linux Engineer Faculty of Natural & Mathematical Sciences King's College London
hi, I have done something similar for a couple of tech trials and PoCs . the quickest way (to get things up and running) is to throw the PAP request to an external script that launches wpa_supplicant configured with a suitable EAP profile using the username/password that was in the PAP and check the result. if all okay, then Access-Accept to the original PAP, if not, Access-Reject alan
Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2 The NPS surely is a member of a windows domain, right? If the admins of that domain allowed your FR as a member (i.e. a samba instance on your server), you could feed the passwords directly to mschap/ntlm_auth. This _might_ increase performance over external wpa_supplicant or eapol_test as using this functionality no longer requires spawning an external process. But extending an AD domain like that may pose security issues of its own.
Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
On 04/09/2020 16:51, Martin Pauly wrote:
Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2 The NPS surely is a member of a windows domain, right? If the admins of that domain allowed your FR as a member (i.e. a samba instance on your server), you could feed the passwords directly to mschap/ntlm_auth. This _might_ increase performance over external wpa_supplicant or eapol_test as using this functionality no longer requires spawning an external process. But extending an AD domain like that may pose security issues of its own.
Thanks - we've been using AD for authentication directly, but are looking to switch to the NPS server as it's tied into a multi-factor authentication system used by other systems. From Alan's suggestion I've got something working using the FreeRADIUS Python module and eapol_test but I'm not completely happy with how it's cobbled together :) Regards, Xand -- Xand Meaden | Senior Linux Engineer Faculty of Natural & Mathematical Sciences King's College London
participants (3)
-
Alan Buxey -
Martin Pauly -
Xand Meaden