eap-mschapv2 and MPPE keys

Alan DeKok aland at deployingradius.com
Fri Sep 30 00:30:11 CEST 2016

On Sep 29, 2016, at 3:51 PM, Adam Schumacher <adam.schumacher at flightaware.com> wrote:
> I did some digging in the freeradius code and I believe I’ve discovered the root cause of my issue.  The opendirectory authentication part of the rlm_mschap module returns directly and all the mppe calculations and responses are bypassed.  This is the case in 2.2.9, 3.0.12, and still in 4.0.x according to github:
> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/modules/rlm_mschap/rlm_mschap.c#L2028

  Ah, yes... that magic. :(

> Now, while I am okay at reading C code, I’m not sure I’m good enough to write a patch for this.  I’m not even sure such a patch is possible given my limited understanding of the existing architecture and the opendirectory auth.  My understanding is that opendirectory can be configured to store NTLM hashes of user passwords so *theoretically* it should be possible for od_mschap_auth to calculate nthashhash and provide the resulting mppe keys.  

  The issue is in getting the NT hashes out of OpenDirectory.  It's not overly clear how that happens.

  I'll see if I can find time to take a look.

  Alan DeKok.

More information about the Freeradius-Users mailing list