Force "Accept" to authentication

Phil Mayers p.mayers at imperial.ac.uk
Fri May 27 18:33:14 CEST 2011


On 27/05/11 16:59, Gary Gatten wrote:
> Can one not "override" the ... not sure what it would be called...
> Example; if I tell FR to use NTLM_AUTH to authenticate a request
> against AD, and AD returns a "reject", can I not override the reject
> with and accept using "update control" or some similar function?

It depends.

If you're using ntlm_auth to do MSCHAP, then no. The MS-CHAPv2 reply 
adds a final response, that proves to the *client* that the *server* is 
valid. The authentication flow is as follows:

nas -> client: challenge
client -> nas: response
nas -> radius: challenge, response
radius -> nas: final response
nas -> client: final response

...the client checks that the final response is valid against the 
challenge and response, as well as it's own password, using crypto.

The protocol is *designed* to stop this kind of interference.

Now, a buggy client might ignore the final response, but that is a big 
security hole - it means you can man-in-the-middle the MSCHAP - and as 
far as I'm aware, all MSCHAP clients (including EAP-PEAP with EAP-MSCHAP 
inner, and EAP-TTLS with EAP-MSCHAP inner) check this.


You can of course just "accept" PAP requests, so if you're doing 
EAP-TTLS with PAP inner, you can force accept - but you must do it at 
the *inner* auth. The outer TTLS still needs to be allowed to flow to 
completion unhindered.



More information about the Freeradius-Users mailing list