Proxying PAP to PEAP-MSCHAP-V2

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Proxying PAP to PEAP-MSCHAP-V2

Users mailing list
Hi,

We have the following setup:

1. Linux servers using pam_radius module (which only supports PAP) for
user authentication
2. NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2

Before I potentially waste too much time on something impossible - can
FreeRADIUS be configured to accept incoming PAP requests, and then proxy
them to NPS using PEAP-MSCHAP-V2?

Thanks,
Xand

--
Xand Meaden | Senior Linux Engineer
Faculty of Natural & Mathematical Sciences
King's College London



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Proxying PAP to PEAP-MSCHAP-V2

Alan Buxey
hi,

I have done something similar for a couple of tech trials and PoCs .
the quickest way (to get things up and running) is to throw the
PAP request to an external script that launches wpa_supplicant
configured with a suitable EAP profile using the username/password
that was in the PAP and check the result. if all okay, then
Access-Accept to the original PAP, if not, Access-Reject

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxying PAP to PEAP-MSCHAP-V2

Martin Pauly
In reply to this post by Users mailing list
Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
> NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2
The NPS surely is a member of a windows domain, right?
If the admins of that domain allowed your FR as a member
(i.e. a samba instance on your server), you could feed the passwords
directly to mschap/ntlm_auth. This _might_ increase performance over
external wpa_supplicant or eapol_test as using this functionality
no longer requires spawning an external process.
But extending an AD domain like that may pose security issues of its own.

Martin

--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: [hidden email]
   D-35032 Marburg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Proxying PAP to PEAP-MSCHAP-V2

Users mailing list
On 04/09/2020 16:51, Martin Pauly wrote:

> Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
>> NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2
> The NPS surely is a member of a windows domain, right?
> If the admins of that domain allowed your FR as a member
> (i.e. a samba instance on your server), you could feed the passwords
> directly to mschap/ntlm_auth. This _might_ increase performance over
> external wpa_supplicant or eapol_test as using this functionality
> no longer requires spawning an external process.
> But extending an AD domain like that may pose security issues of its own.
>
Thanks - we've been using AD for authentication directly, but are
looking to switch to the NPS server as it's tied into a multi-factor
authentication system used by other systems. From Alan's suggestion I've
got something working using the FreeRADIUS Python module and eapol_test
but I'm not completely happy with how it's cobbled together :)

Regards,
Xand

--
Xand Meaden | Senior Linux Engineer
Faculty of Natural & Mathematical Sciences
King's College London

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html