RADIUS proxying + MS-CHAPv2 on client not supported?

Discussion:

(too old to reply)

Michael

2008-06-25 09:38:00 UTC

Hi,

I have a Windows Server 2003 with IAS and RADIUS up and running. User
connect with 802.1X (PEAP + MS-CHAPv2) and are authenticated using the local
RADIUS server. Everything runs great so far.

Now other users, being on another external RADIUS should be able to connect
to the local network. So I added the proxy, wrote the rules and basically it
runs well:

With clients connecting with PAP it works:

Benutzer "***@EXTERNAL.de" wurde Zugriff gewährt.
Vollqualifizierter Benutzername = <unbestimmt>
NAS-IP-Adresse = LOCALIP
NAS-Kennung = <nicht vorhanden>
Clientanzeigename = CLIENTNAME
Client-IP-Adresse = LOCALIP
Kennung der Anruferstation = 0.0.0.0
NAS-Porttyp = Wireless - IEEE 802.11
NAS-Port = 0
Proxyrichtlinienname = NAME
Authentifizierungsanbieter = RADIUS-Proxy
Authentifizierungsserver = REMOTERADIUS-IP
Richtlinienname = <unbestimmt>
Authentifizierungstyp = <unbestimmt>
EAP-Typ = <unbestimmt>

But who wants the user to use PAP, they MUST use MSCHAPv2. Unfortunately it
doesn´t work:

Benutzer "***@EXTERNAL.de" wurde Zugriff verweigert.
Vollqualifizierter Benutzername = <unbestimmt>
NAS-IP-Adresse = LOCALIP
NAS-Kennung = <nicht vorhanden>
Kennung der Anrufstation = 000B8651E9D0
Kennung der Empfängerstation = 000000000000
Clientanzeigename = CLIENTNAME
Client-IP-Adresse = LOCALIP
NAS-Porttyp = Wireless - IEEE 802.11
NAS-Port = 0
Proxyrichtlinienname = NAME
Authentifizierungsanbieter = RADIUS-Proxy
Authentifizierungsserver = REMOTERADIUS-IP
Richtlinien-Name = <unbestimmt>
Authentifizierungstyp = <unbestimmt>
EAP-Typ = <unbestimmt>
Code = 112
Ursache = Der Remote-RADIUS-Server hat die Authentifizierungsanforderung
nicht verarbeitet.

So where is the problem?

(assumptions:)

- PAP uses the unencrypted login data and sends it to (my) local
RADIUS-Server. The RADIUS takes take this request, takes the unencrypted pass
and proxies it to the external server

- MS-CHAPv2 uses encypted login data and sends them to the local
RADIUS-Server. That makes no problem as long it is a local user, but when it
wants to proxy it to the external RADIUS, it seems it doesn´t decrypt it and
afterwards uses it with the external one. Instead it uses that encrypted
strings and take that while sending.

So, how can I set my local Windows 2003 RADIUS server to send this properly
to the external server?

FenderAxe

2008-06-26 02:06:02 UTC

Permalink

Post by Michael
Hi,
I have a Windows Server 2003 with IAS and RADIUS up and running. User
connect with 802.1X (PEAP + MS-CHAPv2) and are authenticated using the
local RADIUS server. Everything runs great so far.
Now other users, being on another external RADIUS should be able to
connect to the local network. So I added the proxy, wrote the rules
Vollqualifizierter Benutzername = <unbestimmt>
NAS-IP-Adresse = LOCALIP
NAS-Kennung = <nicht vorhanden>
Clientanzeigename = CLIENTNAME
Client-IP-Adresse = LOCALIP
Kennung der Anruferstation = 0.0.0.0
NAS-Porttyp = Wireless - IEEE 802.11
NAS-Port = 0
Proxyrichtlinienname = NAME
Authentifizierungsanbieter = RADIUS-Proxy
Authentifizierungsserver = REMOTERADIUS-IP
Richtlinienname = <unbestimmt>
Authentifizierungstyp = <unbestimmt>
EAP-Typ = <unbestimmt>
But who wants the user to use PAP, they MUST use MSCHAPv2.
Vollqualifizierter Benutzername = <unbestimmt>
NAS-IP-Adresse = LOCALIP
NAS-Kennung = <nicht vorhanden>
Kennung der Anrufstation = 000B8651E9D0
Kennung der EmpfÃ€ngerstation = 000000000000
Clientanzeigename = CLIENTNAME
Client-IP-Adresse = LOCALIP
NAS-Porttyp = Wireless - IEEE 802.11
NAS-Port = 0
Proxyrichtlinienname = NAME
Authentifizierungsanbieter = RADIUS-Proxy
Authentifizierungsserver = REMOTERADIUS-IP
Richtlinien-Name = <unbestimmt>
Authentifizierungstyp = <unbestimmt>
EAP-Typ = <unbestimmt>
Code = 112
Ursache = Der Remote-RADIUS-Server hat die
Authentifizierungsanforderung
nicht verarbeitet.
So where is the problem?
(assumptions:)
- PAP uses the unencrypted login data and sends it to (my) local
RADIUS-Server. The RADIUS takes take this request, takes the
unencrypted pass and proxies it to the external server
- MS-CHAPv2 uses encypted login data and sends them to the local
RADIUS-Server. That makes no problem as long it is a local user, but
when it wants to proxy it to the external RADIUS, it seems it doesnÂŽt
decrypt it and afterwards uses it with the external one. Instead it
uses that encrypted strings and take that while sending.
So, how can I set my local Windows 2003 RADIUS server to send this
properly to the external server?

When you use a proxy server, the proxy forwards the connection request to
the remote RADIUS server. That's all it does, pass messages back and forth
between the RADIUS server and the network access server. The authentication
method you're using doesn't matter to the proxy. If the messages aren't
being passed properly, check your connection request policy to ensure it is
configured to forward messages to a configured remote RADIUS server, and
also ensure that the realm name you provide in the policy is accurate and
reflects the domain where the user account resides. (Don't configure
authentication in the connection request policy, use network policy on the
remote RADIUS server to configure PEAP.)

Check that you configured the RADIUS proxy as a RADIUS client on the remote
RADIUS server and that the shared secret is the same. Also verify that you
configured the remote RADIUS server in a remote RADIUS server group on the
IAS proxy server.

For PEAP-MS-CHAP v2, verify that the remote RADIUS server has a server
certificate from a CA that the client computers trust. (For the clients to
trust the server certificate, they must have the CA's cert in the Trusted
Root Certification Authorities Current User and Local Computer cert store.)
The server cert also must meet the minimum server certificate requirements
outlined in the IAS Help. And of course ensure that PEAP is configured on a
remote access policy that is configured to allow access, and that the user
account dial-in properties in AD or Local Users and Groups either allows
access or is set to "Control access through remote access policy."

Michael

2008-06-26 07:00:00 UTC

Permalink

Hi,

thank you for your answer.
But the actual problem is that, the connection request => works with PAP <=
but it =>doesn´t work with MS-CHAPv2<=
So,

Post by FenderAxe
When you use a proxy server, the proxy forwards the connection request to
the remote RADIUS server. That's all it does, pass messages back and forth
between the RADIUS server and the network access server. The authentication
method you're using doesn't matter to the proxy. If the messages aren't
being passed properly, check your connection request policy to ensure it is
configured to forward messages to a configured remote RADIUS server,

of course it does forward it to the remote RADIUS server. It does
succesfully when the user uses PAP.

Post by FenderAxe
also ensure that the realm name you provide in the policy is accurate and
reflects the domain where the user account resides.

it is correct. It works. That´s not the problem.

Post by FenderAxe
(Don't configure
authentication in the connection request policy, use network policy on the
remote RADIUS server to configure PEAP.)

I do not have any influence on the remote RADIUS server.

Post by FenderAxe
Check that you configured the RADIUS proxy as a RADIUS client on the remote
RADIUS server and that the shared secret is the same.

As I already made clear. The request works when the user uses PAP. So
everything is configured the right way.

Post by FenderAxe
Also verify that you
configured the remote RADIUS server in a remote RADIUS server group on the
IAS proxy server.

I did. Again that´s not the problem.

Post by FenderAxe
For PEAP-MS-CHAP v2, verify that the remote RADIUS server has a server
certificate from a CA that the client computers trust.

Well, it has. When a local user tries to connect with my local RADIUS server
and is passed to it, everything runs great.
The problem is, when a remote user´s request (having configured its client
to us MS-CHAPv2) is forwarded to the remote RADIUS.

Post by FenderAxe
(For the clients to
trust the server certificate, they must have the CA's cert in the Trusted
Root Certification Authorities Current User and Local Computer cert store.)

In fact they haven´t in Windows XP you can unclick the option to check the
server certificate. Being a client you can ignore the certificate.
By the way, whether that option is set or not, the requests runs greatly for
local users.

Post by FenderAxe
The server cert also must meet the minimum server certificate requirements
outlined in the IAS Help. And of course ensure that PEAP is configured on a
remote access policy that is configured to allow access, and that the user
account dial-in properties in AD or Local Users and Groups either allows
access or is set to "Control access through remote access policy."

It is, and as I said before, that seems not to be the actual problem.