Example configuration that proxy PEAP MSCHAPv2 to an IAS server

Glenn Machin gmachin at sandia.gov
Tue Aug 30 22:12:30 CEST 2011


Phil - thanks for the feedback.

I just ended up proxying out to the IAS server usernames starting with 
"DOMAIN\".

I configured the freeradius server to not support mschapv2 but will 
support PEAP/GTC EAP/TLS.


It seems to be working fine with the Macs, iPads and Linux systems while 
the windows systems are happy to talk to the IAS server.


It still bugs that ntlm_auth would not authenticate to the domain 
controllers the challenge and nt-response.


I assume no one else is having any issues using ntlm_auth to W2008 
servers?   It may be some Windows GPO at our site for all I know.


Thanks again.


Glenn




On 8/27/11 5:01 AM, Phil Mayers wrote:
> On 08/26/2011 10:40 PM, Glenn Machin wrote:
>> I using radiusd: FreeRADIUS Version 2.1.11.
>>
>> I cannot seem to get the RHEL5 (2.6.18-238.9.1.el5) ntlm_auth program to
>> properly authenticate the challenge and nt-response packets.
>> If I set the password using clear-text and also set
>> MS-CHAP-Use-NTLM-Auth, the authentication works fine. The version of
>> ntlm_auth is Version 3.5.4-0.83.el5
>
> If you supply the debugging output of "radiusd -X", perhaps someone 
> can help you with that.
>
>>
>>
>> So my next step is to try to filter PEAP MSCHAPv2 requests and proxy
>> them off to an IAS server. However I still want PEAP GTC packets handled
>> on this server.
>
> Can't be done cleanly. You can only proxy the inner-EAP conversation, 
> since it's only there that you know the inner-EAP type. But the 
> problem is you need to proxy the *entire* inner EAP conversation, and 
> that includes the EAP-Identity packet, which comes before any EAP type 
> has been decided.
>
> You could proxy the inner EAP-MSCHAP as plain-MSCHAP, but you still 
> have to set the proxy up early enough; something like this might work:
>
> server inner-tunnel {
>   authorize {
>     ...
>     # use horrible technique to find EAP-MSCHAP packets
>     if (EAP-Message =~ /^0x02..00061a..$/) {
>       update control {
>         Proxy-To-Realm := IAS_SERVERS
>       }
>     }
>   }
> }
>
> ...and in eap.conf:
>
> eap {
>   peap {
>     proxy_tunneled_request_as_eap = no
>   }
> }
>
> ...but that solution has problems of its own, namely the EAP-MSCHAP -> 
> plain-MSCHAP conversion is a step that, personally, I think is 
> dangerous and fiddly, and to be avoided if possible.
>
> As I said; I would avoid this. Try to get Samba working if at all 
> possible.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>





More information about the Freeradius-Users mailing list