Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
3
Replies

LEAP Radius proxy with PEAPv0

f.pieress
Level 1
Level 1

‎02-18-2008 10:18 AM - edited ‎03-10-2019 03:39 PM

I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.

I have the following scenario:

WinXP SP2

PEAPv0 (EAP-MSCHAPv2)

|

v

Cisco 3640

802.1x Wired Port Access Control

|

v

Cisco ACS 4.1

External User Database

LEAP Proxy RADIUS

|

v

Freeradius 2.0.1

MS-CHAPv1 user + MPPE MS Extension

I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.

Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!

So, my question are:

1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?

3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?

2) Is this a stable solution?

Regards

FP

Labels:
0 Helpful
3 Replies 3

tstanik
Level 5
Level 5

‎02-22-2008 09:07 AM

The ACS does not internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response, although they are compatible. Following link may help you

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940413

0 Helpful

f.pieress
Level 1
Level 1
In response to tstanik

‎02-23-2008 02:18 AM

Thanks four your reply, but I'm sure the ACS can internaylly translate the challenges, because my lab works. Please remember, my WinXP is configured to use MSCHAPv2, and my Freeradius is configured to use MSCHAPv1. The only restrinctions they have, are that the Freeradius have to send the MS-CHAP-MPPE-Keys, and the Cisco ACS has to be configured to use LEAP Proxy RADIUS as External Database User.

Another interesting test I did, was modify in the freeradius response the MS-CHAP-MPPE-Keys (changing the rlm_mschap module). Normally it's composed by 8 bytes from LM-Password (a hash of the plain password) and 16 bytes from NT-Password (another hash of the plain password). Changing with zeros the LM-Password portion, the authentication still works! But changing one byte of the NT-Password portion, the authentication fails... so, only the NT-Password is needed to proxy MSCHAPv2 to MSCHAPv1..

My problem is, that my backend RADIUS only support MSCHAPv2, and I need to put the Cisco ACS in the Frontend. So, the question is, is teorically possible to proxy MSCHAPv1 to MSCHAPv2? If it's possible, probably I will use a Freeradius to work as a proxy between them...

0 Helpful

m_popovic
Level 1
Level 1
In response to f.pieress

‎02-25-2008 03:50 AM

Would you be kind and post or email your acs config. I have same setup but can't get ACS to authenticate wireless clients.

Thank you in advance

0 Helpful
Customers Also Viewed These Support Documents