(RADIATOR) FW: Possible to Proxy PEAP-EAP-MSCHAP v2 to IAS? Answer: sort of

Tom Rixom tom.rixom at alfa-ariss.com
Wed Feb 18 01:43:17 CST 2004 

Mike,

You need to remove (or rename) the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\26\RolesSupported

As this key is not documented I cannot say if this effects the use of PEAP-EAPMSCHAPV2. 

I have tested this on Windows 2000 SP4. I will be testing Windows 2003 soon.

Regards,

Tom



> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Tuesday, February 17, 2004 11:45 PM
> To: Tom Rixom; radiator at open.com.au
> Subject: Re: (RADIATOR) FW: Possible to Proxy PEAP-EAP-MSCHAP 
> v2 to IAS?
> Answer: sort of
> 
> 
> Hi Tom,
> 
> thanks for the summary.
> 
> What was the registry change to IAS to permit EAP-MSCHAPV2
> 
> Cheers.
> 
> On Tue, 17 Feb 2004 06:42 pm, Tom Rixom wrote:
> > Hi All,
> >
> > I would like to share my findings of last week when I 
> succesfully set up
> > the following connection:
> >
> > EAP-MSCHAPV2<---------------------------------------------------->
> > EAP-TTLS <-------------------------------------->
> > SecureW2 Client 2.0.0 -- AP (Cisco 1100) -- Radiator (Linux) -- IAS
> > (Windows 2K)
> >
> > I did it without any special patches for Radiator. Only a 
> small change
> > to the IAS registry settings was needed to allow it to do 
> EAP-MSCHAPV2.
> >
> > It works perfectly with Active Directory users and I have 
> also succesfully
> > authenticated a domain computer using 802.1X.
> > I did however run into a small problem which was that the 
> "Enable dial-in"
> > option is not available in Windows 2K for domain computers 
> which resulted
> > in the domain computer getting an access denied...
> >
> > I am going to try out Windows 2003 next and I hope I can 
> get passed the
> > domain computer "dial-in" problem. Or does anyone here have 
> any info on
> > this? Does PEAP-EAP-MSCHAPV2 have this problem?
> >
> > I tried the same trick with PEAP and proxied EAP-MSCHAPV2 
> and this does not
> > work as IAS requires a special attribute to be sent through 
> the TLS tunnel,
> > which PEAP of course does not send... ;)
> >
> > BTW. this was all done using the next SecureW2 Client 2.0.0 
> which will run
> > on Windows 2K/XP (Free) and Pocket PC 2003 (Licensed). 
> Release date: Q1
> > (soon)
> >
> > Regards,
> >
> > Tom Rixom
> > Alfa & Ariss
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, 
> Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list