eap-mschapv2

Alan DeKok aland at deployingradius.com
Fri Jan 18 17:44:47 CET 2008 

indira kolli wrote:
>      I understand that you know a lot more than i do.

  That isn't the problem.  The problem is that you are not describing
what you want to do, what you expect,and why you expect it.  This makes
it nearly impossible to help you.

> Can you point me
> to right RFC or draft which tells about the EAP-MSCHAPv2 radius call
> flow.

  No.  EAP-MSCHAPv2 is just EAP.  See the EAP/RADIUS RFC's for examples.

>  We are trying to establish an IKEv2 tunnel using the EAP-MSCHAPv2
> authentication. We are not using EAP-PEAP, so no certificates involved.

  Can you say which software you're using?  Why are you trying to do
this?  What documentation said that this would work?  Can you say *why*
you are trying to do this?  Which piece of documentation led you to
believe that this would work?  Be specific.

  Not that I expect answers to any of my questions... you've been very
good about ignoring all of my questions, and asking more questions of
your own.  I'm not asking questions because I'm typing randomly.  I'm
asking questions because I need MORE INFORMATION to be able to help you.

  You've made it clear that you're not very interesting in providing
more information, so.... I don't see how (or why) I can help you.

>     We are following the "<draft-kamath-pppext-eap-mschapv2-01.txt
> <http://www3.tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01.txt>>",
> RFC 3748, RFC 2869, RFC 3079, RFC 3579. But none of these RFC's talk
> about the Radius message flow for the EAP-MSCHAPv2. Do you have a sample
> trace for the EAP-MSCHAPv2 radius call flow.

  Here's a simple question: Are you configuring existing software, or
writing new software?

  If you're configuring existing software to do EAP-MSCHAPv2
authentication for Ikev2, then read the documentation that comes with
the software.  Ask the authors of the IKEv2 software questions about
their software.

  If you're writing new software (i.e. IKEv2 implementation), then go
ask questions on an IPSec mailing list.

  I have no idea why you're asking questions here.  Yes, I understand
you think it's the fault of RADIUS for not doing what you expect.  But I
suspect (very much) that your expectations are wrong.

>     I will really appericiate if you can point me to the right place
> with the call flow.
>  
>     The problem I am facing is that how will we have the Session Keys
> which are used to generate the Master Shared Key used for the IKEv2
> tunnel establishment. The RFC says that we should get the SEND-KEY and
> the RECV-KEY from the AAA server.

  This is a good example of communication problems.  You reference 5
documents above, and here you say "The RFC says ..."

  If you can't be bothered describing *which* RFC says this, and where,
then I don't see why I should explain anything, either.

  Alan DeKok.

More information about the Freeradius-Users mailing list