freeradius <=> MS IAS passthrough

Ian Savoy isavoy at ewebforce.net
Thu May 17 17:24:54 CEST 2007 

So, I made sure all of our settings were configured correctly in 
proxy.conf and in clients.conf.  the way we tested, was i had the IAS 
server set the reply message to "yes" like John mentioned.  This helped 
a great deal.

What's happening, is when i use the radclient to auth DIRECTLY to the 
IAS server, i get an Access-Accept response.  However, when i use the 
proxy, they are receiving an encrypted password...either that or an 
incorrectly encrypted password that cannot be decrypted by their IAS.  I 
am using the Password attribute with radclient rather than 
User-Password, so i believe when i was using radclient it was sending an 
unencrypted password.  When i run radiusd -X, I am able to see his 
password, so I'm assuming it's being relayed in plain-text is this 
correct?  or does debug mode decrypt the password for my viewing pleasure?

I guess the root of my question is, Does IAS send plain-text passwords?  
Also is there a way i can send the password to IAS via an encryption 
method that it can understand without making a global change?  this 
can't be done in proxy.conf, so would the answer than be user specific?  
On the IAS end the reason why they can't auth is their problem - their 
proxy is stripping the realm info from teh username and just sending us 
user@, i.e. no realm info, but how do i set the FR proxy to relay the 
login info via an encryption method that can be understood by IAS?  they 
accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP.

Thanks for your help again guys (gals)!

-Ian Savoy

John Horne wrote:
> On Wed, 2007-05-16 at 17:12 -0400, Ian Savoy wrote:
>   
>> Is there anything else?
>>
>>     
> Hi,
>
> Not sure if it's still relevant but with our IAS servers the sysadmin
> made sure it set the reply message to "yes". If you test from freeradius
> to the IAS server using the 'radtest' command, and run freeradius as
> 'radiusd -X', you should then see something like this from radiusd:
>
>   rad_recv: Access-Accept packet from host 10.1.2.3:1812, id=0,
> length=74
>         Proxy-State = 0x323235
>         Framed-Protocol = PPP
>         Reply-Message = "Yes"
>         Service-Type = Framed-User
>
>
>
> John.
>
>   


-- 
Ian Savoy
Webforce Systems, Inc
Operations Support/UNIX Engineer
CompTIA A+ Certified Professional
Tech. Support: 614-899-9257 x22
Website: http://www.ewebforce.net

More information about the Freeradius-Users mailing list