(RADIATOR) FW: Possible to Proxy PEAP-EAP-MSCHAP v2 to IAS? Answer: sort of

Tom Rixom tom.rixom at alfa-ariss.com
Tue Feb 17 01:42:12 CST 2004


Hi All,

I would like to share my findings of last week when I succesfully set up
the following connection:

EAP-MSCHAPV2<---------------------------------------------------->
EAP-TTLS <-------------------------------------->
SecureW2 Client 2.0.0 -- AP (Cisco 1100) -- Radiator (Linux) -- IAS (Windows 2K)

I did it without any special patches for Radiator. Only a small change
to the IAS registry settings was needed to allow it to do EAP-MSCHAPV2.

It works perfectly with Active Directory users and I have also succesfully 
authenticated a domain computer using 802.1X. 
I did however run into a small problem which was that the "Enable dial-in" option 
is not available in Windows 2K for domain computers which resulted in the domain
computer getting an access denied... 

I am going to try out Windows 2003 next and I hope I can get passed the domain 
computer "dial-in" problem. Or does anyone here have any info on this? Does 
PEAP-EAP-MSCHAPV2 have this problem?

I tried the same trick with PEAP and proxied EAP-MSCHAPV2 and this does not 
work as IAS requires a special attribute to be sent through the TLS tunnel,
which PEAP of course does not send... ;)

BTW. this was all done using the next SecureW2 Client 2.0.0 which will run on
Windows 2K/XP (Free) and Pocket PC 2003 (Licensed). Release date: Q1 (soon)

Regards,

Tom Rixom
Alfa & Ariss
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list