02-18-2008 10:18 AM - edited 03-10-2019 03:39 PM
I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.
I have the following scenario:
WinXP SP2
PEAPv0 (EAP-MSCHAPv2)
|
v
Cisco 3640
802.1x Wired Port Access Control
|
v
Cisco ACS 4.1
External User Database
LEAP Proxy RADIUS
|
v
Freeradius 2.0.1
MS-CHAPv1 user + MPPE MS Extension
I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.
Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!
So, my question are:
1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?
3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?
2) Is this a stable solution?
Regards
FP
02-22-2008 09:07 AM
The ACS does not internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response, although they are compatible. Following link may help you
02-23-2008 02:18 AM
Thanks four your reply, but I'm sure the ACS can internaylly translate the challenges, because my lab works. Please remember, my WinXP is configured to use MSCHAPv2, and my Freeradius is configured to use MSCHAPv1. The only restrinctions they have, are that the Freeradius have to send the MS-CHAP-MPPE-Keys, and the Cisco ACS has to be configured to use LEAP Proxy RADIUS as External Database User.
Another interesting test I did, was modify in the freeradius response the MS-CHAP-MPPE-Keys (changing the rlm_mschap module). Normally it's composed by 8 bytes from LM-Password (a hash of the plain password) and 16 bytes from NT-Password (another hash of the plain password). Changing with zeros the LM-Password portion, the authentication still works! But changing one byte of the NT-Password portion, the authentication fails... so, only the NT-Password is needed to proxy MSCHAPv2 to MSCHAPv1..
My problem is, that my backend RADIUS only support MSCHAPv2, and I need to put the Cisco ACS in the Frontend. So, the question is, is teorically possible to proxy MSCHAPv1 to MSCHAPv2? If it's possible, probably I will use a Freeradius to work as a proxy between them...
02-25-2008 03:50 AM
Would you be kind and post or email your acs config. I have same setup but can't get ACS to authenticate wireless clients.
Thank you in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide