Security

Reply
Contributor I
Posts: 26
Registered: ‎05-17-2009

Amigopod: Termination of MSCHAPv2 and forward to RADIUS

Hi,

 

Got Aruba Controller, Amigopod and a RADIUS-server which only accepts PAP-messages.

 

I want to terminate the EAP-type, PEAP, in Aruba Controller. No problem, done the configuration for that.

Send the inner EAP, MSCHAPv2, to Amigopod. I can see in the Amigopod that this comes in.

Then I want the Amigopod to take away the MSCHAPv2 and send a PAP request to the RADIUS server.

I can see in the Amigopod that the request is passed to the RADIUS.

 

I have added the RADIUS server to amigopod and I have done a test authentication from GUI, that works. I believe that is because it is done with PAP. But when I send a client from Aruba with MSCHAPv2, the authentication doesn't work, maybe because it just shouldn't work, because the Amigopod don't take away the MSCHAPv2 and passes it to the RADIUS.

 

 

-------------------------------------------------------------------------------------
Christian Nilsson, Network Services
ACMA, ACMP, AWMP, Aruba Instructor, ACMX #159
MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: Amigopod: Termination of MSCHAPv2 and forward to RADIUS

My understanding is that the Amigopod can terminate or proxy RADUIS requests so wont be able to terminate then forward. I don't this what you are requesting is (easily) possible with any device. What you're asking essentially is if Amigopod can break MS-CHAPv2 and convert the requests to the PAP equivalent.

.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Amigopod: Termination of MSCHAPv2 and forward to RADIUS

Unfortunately, this is not technically possible.

 

PAP requires the plaintext password, which is then encoded in a RADIUS Access-Request packet according to the encryption method specified in RFC 2865.  This encryption is reversible, if you know the shared secret for the RADIUS transaction, and therefore allows for authentication to occur.

 

The MSCHAPv2 password is one-way hashed and cannot be reversed to yield the user's plain text password.  This is due to the design of the protocol.  Authentication is still possible using MSCHAPv2 as the user's password can be stored in an encrypted form.

 

Therefore, it is not possible to accept an MSCHAPv2 authentication request, and generate a corresponding PAP request.

Contributor I
Posts: 26
Registered: ‎05-17-2009

Re: Amigopod: Termination of MSCHAPv2 and forward to RADIUS

I had that in mind, that it wouldn't be possible in the way MSCHAPv2 works.

 

Thank you for the answer!

-------------------------------------------------------------------------------------
Christian Nilsson, Network Services
ACMA, ACMP, AWMP, Aruba Instructor, ACMX #159
Search Airheads
Showing results for 
Search instead for 
Did you mean: