EAP-MSCHAPv2 and MPPE key
Alan DeKok
aland at deployingradius.com
Mon Jun 7 09:06:19 CEST 2010
Stefan Winter wrote:
> we're trying to get IKEv2 under Windows 7 going. It can use among others
> "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common.
> I noticed that rlm_mschap can be configured to calculate and send MPPE
> keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be
> mostly independent.
>
> Is that something that can easily be added?
Yup.
> BTW, a check back with a developer "Martin" from strongswan.org yielded:
>
> "Then I'd assume you are using FreeRADIUS :-).
>
> It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however
> requires the MSK to calculate the AUTH payload.
OK.
> In its current form, you can't use FreeRADIUS for your setup, my
> apologies. One could extend FreeRADIUS to copy over the MPPE keys, but
> writing such a patch is not something I can do in a few minutes."
<shrug> src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there
are 4 calls to "pairdelete" remove the MPPE keys from the reply.
if (handler->request->parent) {
pairdelete(&handler->request->reply->vps, ((311 << 16) | 7));
...
}
add the "if (handler..." text. It ensures that the MPPE keys are
deleted only when the module is being called from inside of a TLS tunnel.
I'll put it into 2.1.10, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list