Proxying MS-CHAPv2

Alan DeKok aland at deployingradius.com
Thu Nov 2 15:14:33 CET 2017


On Nov 2, 2017, at 9:32 AM, Norman Elton <normelton at gmail.com> wrote:
> 
> We've been running FreeRADIUS for our wireless 802.1x infrastructure
> for years, without problem (thanks!). FreeRADIUS basically proxies
> back to our Windows NPS servers, then injects a VLAN assignment using
> unlang on the Access-Accept.

  That's good.

> Now we're deploying the same architecture for our wired
> infrastructure. I've noticed that the authentication requests between
> the FreeRADIUS servers and NPS for our wired infrastructure is all
> EAP, which is getting rejected since our NPS servers are expecting
> PEAP. I'm assuming I need to specifically tell FreeRADIUS that the
> back-end authentication needs to take place over PEAP,

   You need to proxy PEAP as-is, without modifying it.  i.e. proxy the *outer* session.

   If you're proxying the inner tunnel data, you need to read raddb/mods-enabled/eap.  Look for "proxy_tunneled_request_as_eap", and read the relevant comments.

> but don't see
> where that would be configured. It's basically the same config as our
> wireless infrastructure, but in that case, PEAP/MS-CHAPv2 is
> configured on the access points.

  PEAP isn't configured on the access points.  It's configured on the supplicants.  And PEAP doesn't do MS-CHAPv2 inside of the tunnel.  It does EAP-MSCHAPv2 (sort of).

  So the question is what are the WiFi systems actually doing?  And what are the wired systems doing differently?

  Alan DeKok.




More information about the Freeradius-Users mailing list