Alan DeKok aland at deployingradius.com
Mon Jun 7 09:06:19 CEST 2010

Stefan Winter wrote:
> we're trying to get IKEv2 under Windows 7 going. It can use among others
> "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.

  OK.  That's getting to be a more common.

> I noticed that rlm_mschap can be configured to calculate and send MPPE
> keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be
> mostly independent.
> Is that something that can easily be added?


> BTW, a check back with a developer "Martin" from strongswan.org yielded:
> "Then I'd assume you are using FreeRADIUS :-).
> It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however
> requires the MSK to calculate the AUTH payload.


> In its current form, you can't use FreeRADIUS for your setup, my
> apologies. One could extend FreeRADIUS to copy over the MPPE keys, but
> writing such a patch is not something I can do in a few minutes."

  <shrug>  src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there
are 4 calls to "pairdelete" remove the MPPE keys from the reply.

	if (handler->request->parent) {
		pairdelete(&handler->request->reply->vps, ((311 << 16) | 7));

  add the "if (handler..." text.  It ensures that the MPPE keys are
deleted only when the module is being called from inside of a TLS tunnel.

  I'll put it into 2.1.10, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list