EAP-MSCHAPv2 and MPPE key

Stefan Winter stefan.winter at restena.lu
Mon Jun 7 08:44:25 CEST 2010


Hello,

we're trying to get IKEv2 under Windows 7 going. It can use among others
"EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.

While auth succeeds, FreeRADIUS doesn't send MPPE keys back, and Win 7
then rejects the session.

I noticed that rlm_mschap can be configured to calculate and send MPPE
keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be
mostly independent.

Is that something that can easily be added?

BTW, a check back with a developer "Martin" from strongswan.org yielded:

"Then I'd assume you are using FreeRADIUS :-).

It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however
requires the MSK to calculate the AUTH payload.

In its current form, you can't use FreeRADIUS for your setup, my
apologies. One could extend FreeRADIUS to copy over the MPPE keys, but
writing such a patch is not something I can do in a few minutes."

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100607/bcbf5358/attachment.pgp>


More information about the Freeradius-Users mailing list