Security

Hi,

Got Aruba Controller, Amigopod and a RADIUS-server which only accepts PAP-messages.

I want to terminate the EAP-type, PEAP, in Aruba Controller. No problem, done the configuration for that.

Send the inner EAP, MSCHAPv2, to Amigopod. I can see in the Amigopod that this comes in.

Then I want the Amigopod to take away the MSCHAPv2 and send a PAP request to the RADIUS server.

I can see in the Amigopod that the request is passed to the RADIUS.

I have added the RADIUS server to amigopod and I have done a test authentication from GUI, that works. I believe that is because it is done with PAP. But when I send a client from Aruba with MSCHAPv2, the authentication doesn't work, maybe because it just shouldn't work, because the Amigopod don't take away the MSCHAPv2 and passes it to the RADIUS.

My understanding is that the Amigopod can terminate or proxy RADUIS requests so wont be able to terminate then forward. I don't this what you are requesting is (easily) possible with any device. What you're asking essentially is if Amigopod can break MS-CHAPv2 and convert the requests to the PAP equivalent.

.

Unfortunately, this is not technically possible.

PAP requires the plaintext password, which is then encoded in a RADIUS Access-Request packet according to the encryption method specified in RFC 2865.  This encryption is reversible, if you know the shared secret for the RADIUS transaction, and therefore allows for authentication to occur.

The MSCHAPv2 password is one-way hashed and cannot be reversed to yield the user's plain text password.  This is due to the design of the protocol.  Authentication is still possible using MSCHAPv2 as the user's password can be stored in an encrypted form.

Therefore, it is not possible to accept an MSCHAPv2 authentication request, and generate a corresponding PAP request.

I had that in mind, that it wouldn't be possible in the way MSCHAPv2 works.

Thank you for the answer!