Probably the problem is that MS uses for
MS-MPPE-Send-Key/MS-MPPE-Recv-Key absolutely same encoding schema as for
Tunnel-Password attributes. Currently I do all encoding inside
rlm_mschap itself.
I'm not sure how does proxy operates: if proxy rebuilds packet and these
values are changed I need to rewrite rlm_mschap to not perform encoding
and to mark MS-MPPE-Send-Key/MS-MPPE-Recv-Key as encrypt=2 in the
dictionary instead.
Will it work?
BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt
MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from
rlm_mschap. May be we should process all rad_pwencode'd attributes in
the way we process Tunnel-Password encryption? That is instead of
calling rad_pwencode/rad_pwdecode for Password we should mark Password
and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all
encrypted attributes?
--This is a forwarded message
From: Josh Howlett <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, May 27, 2002, 7:28:36 PM
Subject: Encrypted attribute problems
===8<==============Original message text===============
> Josh Howlett <[EMAIL PROTECTED]> wrote:
> > What is the status of encrypted attribute support in Freeradius at the
> > moment? It appears to be broken - has anyone had similar problems?
>
> WHICH encrypted attribute? There's more than one, and there are a
> number of different encryption schemes.
Sorry for the lack of specificity; I am rather new to RADIUS!
My precise problem is this. I have a Microsoft IAS W2K server and a NAS
with a Freeradius proxy in the middle:
IAS <--> Freeradius <--> NAS
The NAS authenticates clients using MSCHAP-v2 and also provides
encryption using MPPE. The NAS can authenticate and retrieve the MPPE
keys via RADIUS from the W2K box without any problems. However, if the
RADIUS transaction is performed via the Freeradius proxy, the NAS
reports problems with de-crypting the MPPE attributes:
decrypt_attr_style_1: bogus decrypted length 89
decrypt_attr_style_1: bogus decrypted length -37
Hence, I can authenticate correctly but not retrieve the MPPE keys when
Freeradius is acting as proxy.
I hope this is clear?
thanks, josh.
------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
===8<===========End of original message text===========
--
~/ZARAZA
� �������� ���� ������. (���)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html