Hi Kamal, As I mention, Microsoft Network Policy Server (NPS) seems to want some type of CHAP in almost almost all of the Radius Requests, except PAP. CHAP, MS-CHAP and MS-CHAPv2 have been attacked: https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/ http://itsecgames.blogspot.com/2012/09/attacking-ms-chap-v2.html
They all use MD4, which has also been attacked and has now been "retired" as a standard": https://tools.ietf.org/html/rfc6150 However, as you have also commented, NPS's more secure EAP-TLS protocol still needs to tunnel CHAP and MD4. I found this: https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/classes/sun/security/provider/MD4.java It would be useful for MD4.java to be included in the Radius Authentication Provider to support secure communication with NPS, but I don't know how to. In the meantime I'm using CentOS's built-in IPsec and the Windows Server L2TP/IPsec capability. https://www.thomasmaurer.ch/2018/05/how-to-install-vpn-on-windows-server-2019/ https://www.myip.io/how-to-details/configure-l2tp-centos and/or http://spottedhyena.co.uk/centos-67-ipsecl2tp-vpn-client-unifi-usg-l2tp-server/ -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
