On Mon, 27 May 2002, 3APA3A wrote: > > Probably the problem is that MS uses for > MS-MPPE-Send-Key/MS-MPPE-Recv-Key absolutely same encoding schema as for > Tunnel-Password attributes. Currently I do all encoding inside > rlm_mschap itself. > > I'm not sure how does proxy operates: if proxy rebuilds packet and these > values are changed I need to rewrite rlm_mschap to not perform encoding > and to mark MS-MPPE-Send-Key/MS-MPPE-Recv-Key as encrypt=2 in the > dictionary instead. > > Will it work? > > BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt > MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from > rlm_mschap. May be we should process all rad_pwencode'd attributes in > the way we process Tunnel-Password encryption? That is instead of > calling rad_pwencode/rad_pwdecode for Password we should mark Password > and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all > encrypted attributes?
Hi 3APA3A, I am not using rlm_mschap at all because I am only proxying. I assumed that the encoding/decoding would be performed automatically as part of the proxying process. What you suggest sounds sensible to me, but I do not know much at all about RADIUS :-(. regards, josh. > --This is a forwarded message > From: Josh Howlett <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Date: Monday, May 27, 2002, 7:28:36 PM > Subject: Encrypted attribute problems > > ===8<==============Original message text=============== > > Josh Howlett <[EMAIL PROTECTED]> wrote: > > > What is the status of encrypted attribute support in Freeradius at the > > > moment? It appears to be broken - has anyone had similar problems? > > > > WHICH encrypted attribute? There's more than one, and there are a > > number of different encryption schemes. > > Sorry for the lack of specificity; I am rather new to RADIUS! > > My precise problem is this. I have a Microsoft IAS W2K server and a NAS > with a Freeradius proxy in the middle: > > IAS <--> Freeradius <--> NAS > > The NAS authenticates clients using MSCHAP-v2 and also provides > encryption using MPPE. The NAS can authenticate and retrieve the MPPE > keys via RADIUS from the W2K box without any problems. However, if the > RADIUS transaction is performed via the Freeradius proxy, the NAS > reports problems with de-crypting the MPPE attributes: > > decrypt_attr_style_1: bogus decrypted length 89 > decrypt_attr_style_1: bogus decrypted length -37 > > Hence, I can authenticate correctly but not retrieve the MPPE keys when > Freeradius is acting as proxy. > > I hope this is clear? > > thanks, josh. > > > ------------------------------------------------------------ > Josh Howlett, Networking & Digital Communications, > Information Systems & Computing, University of Bristol, U.K. > 'phone: 0117 928 7850 email: [EMAIL PROTECTED] > ------------------------------------------------------------ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > ===8<===========End of original message text=========== > > > -- > ~/ZARAZA > B p`qwer`u a{k` nxhaj`. (Kel) > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > ------------------------------------------------------------ Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] ------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
