Proxying MS-CHAPv2
Alan DeKok
aland at deployingradius.com
Thu Nov 2 15:14:33 CET 2017
On Nov 2, 2017, at 9:32 AM, Norman Elton <normelton at gmail.com> wrote:
>
> We've been running FreeRADIUS for our wireless 802.1x infrastructure
> for years, without problem (thanks!). FreeRADIUS basically proxies
> back to our Windows NPS servers, then injects a VLAN assignment using
> unlang on the Access-Accept.
That's good.
> Now we're deploying the same architecture for our wired
> infrastructure. I've noticed that the authentication requests between
> the FreeRADIUS servers and NPS for our wired infrastructure is all
> EAP, which is getting rejected since our NPS servers are expecting
> PEAP. I'm assuming I need to specifically tell FreeRADIUS that the
> back-end authentication needs to take place over PEAP,
You need to proxy PEAP as-is, without modifying it. i.e. proxy the *outer* session.
If you're proxying the inner tunnel data, you need to read raddb/mods-enabled/eap. Look for "proxy_tunneled_request_as_eap", and read the relevant comments.
> but don't see
> where that would be configured. It's basically the same config as our
> wireless infrastructure, but in that case, PEAP/MS-CHAPv2 is
> configured on the access points.
PEAP isn't configured on the access points. It's configured on the supplicants. And PEAP doesn't do MS-CHAPv2 inside of the tunnel. It does EAP-MSCHAPv2 (sort of).
So the question is what are the WiFi systems actually doing? And what are the wired systems doing differently?
Alan DeKok.
More information about the Freeradius-Users
mailing list