Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LEAP Radius proxy with PEAPv0

I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.

I have the following scenario:

WinXP SP2

PEAPv0 (EAP-MSCHAPv2)

|

v

Cisco 3640

802.1x Wired Port Access Control

|

v

Cisco ACS 4.1

External User Database

LEAP Proxy RADIUS

|

v

Freeradius 2.0.1

MS-CHAPv1 user + MPPE MS Extension

I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.

Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!

So, my question are:

1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?

3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?

2) Is this a stable solution?

Regards

FP

3 REPLIES
Bronze

Re: LEAP Radius proxy with PEAPv0

The ACS does not internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response, although they are compatible. Following link may help you

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940413

New Member

Re: LEAP Radius proxy with PEAPv0

Thanks four your reply, but I'm sure the ACS can internaylly translate the challenges, because my lab works. Please remember, my WinXP is configured to use MSCHAPv2, and my Freeradius is configured to use MSCHAPv1. The only restrinctions they have, are that the Freeradius have to send the MS-CHAP-MPPE-Keys, and the Cisco ACS has to be configured to use LEAP Proxy RADIUS as External Database User.

Another interesting test I did, was modify in the freeradius response the MS-CHAP-MPPE-Keys (changing the rlm_mschap module). Normally it's composed by 8 bytes from LM-Password (a hash of the plain password) and 16 bytes from NT-Password (another hash of the plain password). Changing with zeros the LM-Password portion, the authentication still works! But changing one byte of the NT-Password portion, the authentication fails... so, only the NT-Password is needed to proxy MSCHAPv2 to MSCHAPv1..

My problem is, that my backend RADIUS only support MSCHAPv2, and I need to put the Cisco ACS in the Frontend. So, the question is, is teorically possible to proxy MSCHAPv1 to MSCHAPv2? If it's possible, probably I will use a Freeradius to work as a proxy between them...

New Member

Re: LEAP Radius proxy with PEAPv0

Would you be kind and post or email your acs config. I have same setup but can't get ACS to authenticate wireless clients.

Thank you in advance

370
Views
0
Helpful
3
Replies