Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EAP/PEAP/MSCHAP auth #40

Open
ghost opened this issue Jan 11, 2017 · 8 comments
Open

Add support for EAP/PEAP/MSCHAP auth #40

ghost opened this issue Jan 11, 2017 · 8 comments
Assignees
@GIC-de
Labels
enhancement

Comments

@ghost
Copy link

ghost commented Jan 11, 2017

Please add support for EAP/PEAP/MSCHAP authorization. PAP is not suitable since it sends plaintext passwords.
@GIC-de GIC-de self-assigned this Jan 24, 2017
@peppelinux
Copy link

I'm going to face the same problem, Auth-type CHAP means to let the sysadmins to read cleartext password in /var/log/freeradius/radius.log if the radius configuration have auth_goodpass and auth_badpass configured to true.

We really need to introduce PEAP o, at least MSCHAP.
CHAP is unusable in production environment.

@peppelinux peppelinux mentioned this issue Nov 7, 2017
Closed
@ccsalway
Copy link

ccsalway commented Sep 9, 2018

Can the following URL be used to jumpstart EAP support

https://w1.fi/cgit/hostap/plain/tests/hwsim/test_eap_proto.py

@csib
Copy link

csib commented Jan 13, 2019

+1 for MSCHAPv2 I think it's really needed in 2019 PAP is so weak and Windows 10 cant access to set encyption if PAP is enabled only.

@kumar35959
Copy link

+1 for EAP/PEAP/MSCHAP

@mneitsabes
Copy link

Here is my Python implementation for EAP-MSCHAPv2 only, maybe it can help : https://github.com/mneitsabes/RADIUS-EAP-MSCHAPv2-Python-client

@noziwatele
Copy link

+1 for EAP/PEAP/MSCHAP :)

@adiroiban
Copy link

If it helps, this is my CHAP / MS-CHAP / MS-CHAP-v2 code written in Python 2.7 and Twisted:

https://gist.github.com/adiroiban/59eb28cf767aec9535fda8ac1162401f

It uses the radius.py library and not pyrad but I think that it can help with documenting the format of the message.

There is no EAP/PEAP tunneling there.

I hope this can help understand how the messages should be formatted.

I had a hard time reading all the PPP and RADIUS RFC to see how to format the messages ... but it was easier than reading the freeradius C code :)

I plan to migrate my code to pyrad ... but I don't know when.

I am testing it using a freeradius docker... and it's super fast after removing the delay on failure.
The gist has some freeradius configs, let me know if you need more info about the docker testing fixture.

# Remove the delay on failure.
# This is only used for testing so we don't want any delays.
sed -i 'Ns/.*reject_delay = .*/    reject_delay = 0/' /etc/raddb/radiusd.conf

@momentforever
Copy link

I tried to connect to Raidus using MS-CHAPv2 by adding MS-CHAP-Challenge and MS-CHAP2-Response to the request, but it ultimately failed.

# ...
  req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
                             User_Name=username)
  req.AddAttribute("MS-CHAP-Challenge", b'\x00' * 8)
  req.AddAttribute("MS-CHAP2-Response", b'\x00' + struct.pack('<B', len(passwd)) + passwd.encode() + b'\x00' * 24)
# ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GIC-de GIC-de

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@adiroiban @peppelinux @ccsalway @GIC-de @mneitsabes @noziwatele @csib @momentforever @kumar35959