Stefan Winter wrote: > we're trying to get IKEv2 under Windows 7 going. It can use among others > "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common. > I noticed that rlm_mschap can be configured to calculate and send MPPE > keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be > mostly independent. > > Is that something that can easily be added? Yup. > BTW, a check back with a developer "Martin" from strongswan.org yielded: > > "Then I'd assume you are using FreeRADIUS :-). > > It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however > requires the MSK to calculate the AUTH payload. OK. > In its current form, you can't use FreeRADIUS for your setup, my > apologies. One could extend FreeRADIUS to copy over the MPPE keys, but > writing such a patch is not something I can do in a few minutes." <shrug> src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there are 4 calls to "pairdelete" remove the MPPE keys from the reply. if (handler->request->parent) { pairdelete(&handler->request->reply->vps, ((311 << 16) | 7)); ... } add the "if (handler..." text. It ensures that the MPPE keys are deleted only when the module is being called from inside of a TLS tunnel. I'll put it into 2.1.10, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html