Translate authentication requests
Laurens Vets
laurens at daemon.be
Fri Sep 23 20:45:28 CEST 2016
On 2016-09-23 10:58, Alan DeKok wrote:
> On Sep 23, 2016, at 12:27 PM, Laurens Vets <laurens at daemon.be> wrote:
>> I've got FreeRADIUS working with both OpenVPN (Android app + Windows)
>> and StrongSwan (Android app). Authentication method used is eap-gtc
>> with SSHA2 passwords. This all works.
>>
>> I'm now trying to integrate macOS and iOS clients as well, but I'm
>> having a bit of a problem here. When either client sets up a
>> connection to StrongSwan, FreeRADIUS receives an MSCHAPv2 request,
>> which obviously doesn't work with SSHA2 passwords.
>>
>> Is there a way to either translate or proxy this MSCHAPv2 request into
>> for instance an EAP-GTC request
>
> It's impossible.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>
>> or is there a way to force the client to not use MSCHAPv2?
>
> Update the client configuration. There is nothing you can do to
> FreeRADIUS which will change the client.
Thank you for your quick response! The clients are macOS Sierra and iOS
10, so it will be a bit difficult to update...
What would be the best way to handle user passwords in this scenario?
What I'm trying to achieve is a safe password storage/management, i.e.
if the userdb gets stolen. Clearly cleartext password and NT hash are
not sufficient in this situation.
More information about the Freeradius-Users
mailing list