LEAP Radius proxy with PEAPv0

Unanswered Question
Feb 18th, 2008

I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.

I have the following scenario:

WinXP SP2

PEAPv0 (EAP-MSCHAPv2)

|

v

Cisco 3640

802.1x Wired Port Access Control

|

v

Cisco ACS 4.1

External User Database

LEAP Proxy RADIUS

|

v

Freeradius 2.0.1

MS-CHAPv1 user + MPPE MS Extension

I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.

Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!

So, my question are:

1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?

3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?

2) Is this a stable solution?

Regards

FP

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
f.pieress Sat, 02/23/2008 - 02:18

Thanks four your reply, but I'm sure the ACS can internaylly translate the challenges, because my lab works. Please remember, my WinXP is configured to use MSCHAPv2, and my Freeradius is configured to use MSCHAPv1. The only restrinctions they have, are that the Freeradius have to send the MS-CHAP-MPPE-Keys, and the Cisco ACS has to be configured to use LEAP Proxy RADIUS as External Database User.

Another interesting test I did, was modify in the freeradius response the MS-CHAP-MPPE-Keys (changing the rlm_mschap module). Normally it's composed by 8 bytes from LM-Password (a hash of the plain password) and 16 bytes from NT-Password (another hash of the plain password). Changing with zeros the LM-Password portion, the authentication still works! But changing one byte of the NT-Password portion, the authentication fails... so, only the NT-Password is needed to proxy MSCHAPv2 to MSCHAPv1..

My problem is, that my backend RADIUS only support MSCHAPv2, and I need to put the Cisco ACS in the Frontend. So, the question is, is teorically possible to proxy MSCHAPv1 to MSCHAPv2? If it's possible, probably I will use a Freeradius to work as a proxy between them...

m_popovic Mon, 02/25/2008 - 03:50

Would you be kind and post or email your acs config. I have same setup but can't get ACS to authenticate wireless clients.

Thank you in advance

Actions

This Discussion