[RADIATOR] MSCHAPv2 with BCrypt passwords

Sami Keski-Kasari samikk at open.com.au
Mon Jan 19 02:41:33 CST 2015 

Hello Mike,

MSCHAPv2 is mutual challenge-reponse protocol.
Client does not send password in nthash format.
Nthashed password is used to calculate response to the challenge.

Because MSCHAPv2 is mutual then both client and server must be able to
calculate correct response. That is why server can't just decide that
authentication is successful like for example with PAP.

I think that it is not possible to get PEAP with MSCHAPv2 working with
brypt hashed passwords.

Best Regards,
 Sami

On 01/16/2015 07:52 PM, Mike Puchol wrote:
> Greetings,
> 
> I'm working on a deployment that should support PEAP with MSCHAPv2, but which cannot have either plaintext passwords nor NT hashes stored (the latter can be decrypted in miliseconds on sites such as http://www.hashkiller.co.uk/ntlm-decrypter.aspx).
> 
> Passwords are stored in BCrypt hash format, so my questions are:
> 
> 1. I could, when signing users up, do plaintext -> nthash -> bcrypt, and then compare the incoming nthash from the client also passed through bcrypt inside a hook. I've spent the last two days looking at hook examples, mailing list posts and the documentation, but I cannot figure out where to put the hook, or how to get the nthash from the EAP messages.
> 
> 2. A secondary question, derived from #1 above: is there any documentation on hooks that explains how/what parameters and functions are available for each hook type? I don't mind looking through code, but I've not found a clear answer. Example: for PreAuthHook, we're told $_[0] contains a "reference to the current request"... kind of vague.
> 
> I'm doing AuthBy SQL, no LDAP (found tons of password-related info for LDAP and its hooks... but not useful).
> 
> Cheers,
> 
> Mike
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list