Force "Accept" to authentication
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 27 18:33:14 CEST 2011
On 27/05/11 16:59, Gary Gatten wrote:
> Can one not "override" the ... not sure what it would be called...
> Example; if I tell FR to use NTLM_AUTH to authenticate a request
> against AD, and AD returns a "reject", can I not override the reject
> with and accept using "update control" or some similar function?
It depends.
If you're using ntlm_auth to do MSCHAP, then no. The MS-CHAPv2 reply
adds a final response, that proves to the *client* that the *server* is
valid. The authentication flow is as follows:
nas -> client: challenge
client -> nas: response
nas -> radius: challenge, response
radius -> nas: final response
nas -> client: final response
...the client checks that the final response is valid against the
challenge and response, as well as it's own password, using crypto.
The protocol is *designed* to stop this kind of interference.
Now, a buggy client might ignore the final response, but that is a big
security hole - it means you can man-in-the-middle the MSCHAP - and as
far as I'm aware, all MSCHAP clients (including EAP-PEAP with EAP-MSCHAP
inner, and EAP-TTLS with EAP-MSCHAP inner) check this.
You can of course just "accept" PAP requests, so if you're doing
EAP-TTLS with PAP inner, you can force accept - but you must do it at
the *inner* auth. The outer TTLS still needs to be allowed to flow to
completion unhindered.
More information about the Freeradius-Users
mailing list