On Sun, Apr 21, 2019 at 7:08 PM drhy <[email protected]> wrote:
> Hi Nick, > > I've extensively tested the communications between the Windows Server > Network Policy Server and the Guacamole RADIUS module on CentOS using: > CentOS Minimal ISO, release 7.6.1810 (Core) > Java 1.8.0 (java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64) > Tomcat 8.5.38 > gcc compiler version 7.3.0 > (in more detail: > > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-1-0-0-with-Radius-and-MySQL-Step-by-step-for-Linux-newbies-td4748.html > ) > > In this environment the only successful authentication combination I've > been > able to get working between the RADIUS module and Windows Server Network > Policy Server is PAP. In the catalina.out log the other combinations show > either authentication failed messages or internal error messages, and > sometimes an MD4 not available message. > > MD4 seems to be required for CHAP, MSCHAPv1 and MSCHAPv2. In addition, it > appears that the more secure compound tunnels that NPS uses (for example, > EAP-TLS) all still need CHAP in one form or another. MD4 is no longer > included in the JDK hence anything requiring a variation of CHAP fails. > As far as I can tell, MD4 is not required for plain (non-MS) CHAP. This is according to the JRadius code that I'm using to implement the RADIUS authentication provider. It should only be required for MS-CHAP v1 and v2. Based on the code in the repo, the only thing that MD4 is used for in MS-CHAP is hashing the NT password. CHAP should still work fine without MD4. Also, as Kamal mentions, I've submitted a pull request to correct this: https://github.com/apache/guacamole-client/pull/392 This should be corrected in the master branch before too long. You can test per my previous instructions - if you're able to that would be great, as I don't have a RADIUS server supporting MS-CHAP available, so it's hard for me to verify it works. Sounds like Kamal has tested it successfully, but with a previous version of the changes, so testing on the most recent version would be great. Also, as I've mentioned before, from a security perspective, MS-CHAP (with MD4) may be more secure than plain text, but the reason MD4 was removed from Java is because MD4 is not secure - it can be relatively easily cracked (https://en.wikipedia.org/wiki/MD4#Security - "in a few microseconds"). So, if security is of any reasonable concern to you between Guacamole and your RADIUS server, I would not rely upon MS-CHAP - I would use EAP-TLS or EAP-TTLS. PEAP might be acceptable, too, but there's a bug in JRadius that has not been addressed, yet, that renders PEAP useless, so it currently will not work. -Nick
