Translate authentication requests

Laurens Vets laurens at
Fri Sep 23 20:45:28 CEST 2016

On 2016-09-23 10:58, Alan DeKok wrote:
> On Sep 23, 2016, at 12:27 PM, Laurens Vets <laurens at> wrote:
>> I've got FreeRADIUS working with both OpenVPN (Android app + Windows) 
>> and StrongSwan (Android app). Authentication method used is eap-gtc 
>> with SSHA2 passwords. This all works.
>> I'm now trying to integrate macOS and iOS clients as well, but I'm 
>> having a bit of a problem here. When either client sets up a 
>> connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request, 
>> which obviously doesn't work with SSHA2 passwords.
>> Is there a way to either translate or proxy this MSCHAPv2 request into 
>> for instance an EAP-GTC request
>   It's impossible.
>> or is there a way to force the client to not use MSCHAPv2?
>   Update the client configuration.  There is nothing you can do to
> FreeRADIUS which will change the client.

Thank you for your quick response! The clients are macOS Sierra and iOS 
10, so it will be a bit difficult to update...

What would be the best way to handle user passwords in this scenario?
What I'm trying to achieve is a safe password storage/management, i.e. 
if the userdb gets stolen. Clearly cleartext password and NT hash are 
not sufficient in this situation.

More information about the Freeradius-Users mailing list