eap-mschapv2 and MPPE keys

Adam Schumacher adam.schumacher at flightaware.com
Thu Sep 29 21:51:21 CEST 2016

On 9/29/16, 2:24 PM, "Brian Candler" <b.candler at pobox.com> wrote:

>    Have you tried "use_tunneled_reply
>     = yes" ?

I don’t think this is relevant in this case as we aren’t tunneling in peap or ttls.  It is just straight eap-mschapv2.

I did some digging in the freeradius code and I believe I’ve discovered the root cause of my issue.  The opendirectory authentication part of the rlm_mschap module returns directly and all the mppe calculations and responses are bypassed.  This is the case in 2.2.9, 3.0.12, and still in 4.0.x according to github:


Now, while I am okay at reading C code, I’m not sure I’m good enough to write a patch for this.  I’m not even sure such a patch is possible given my limited understanding of the existing architecture and the opendirectory auth.  My understanding is that opendirectory can be configured to store NTLM hashes of user passwords so *theoretically* it should be possible for od_mschap_auth to calculate nthashhash and provide the resulting mppe keys.  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4694 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160929/094ac3b6/attachment.bin>

More information about the Freeradius-Users mailing list