[RADIATOR] Simple Question Regarding Realm Handling

Heikki Vatiainen hvn at open.com.au
Fri Mar 25 11:39:36 UTC 2022 

On 23.3.2022 17.55, Ullfig, Roberto Alfredo wrote:
 > Is there a good document that goes over PEAP, EAP, and MSCHAPV2?

With EAP I'd start with its RFC, search for introductory documents and 
watch messages generated by eapol_test, radpwtst, laptops and other 
clients. Simpler EAP methods, such as EAP-MD5 show the basic idea and 
PEAP and others just add more requests with payloads such as TLS.
https://tools.ietf.org/search/rfc3748

With PEAP and EAP-MSCHAP-V2 I'd start with Microsoft's documentation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-peap/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-chap/

There have been internet-drafts IETF has published, but neither of these 
two never made it to an RFC. The MS docs are the ones that are kept 
up-to-date.

PEAP is not usable by itself. That is, its purpose is to establish a TLS 
connection and then tunnel the desired EAP method, typically 
EAP-MSCHAP-V2 over that tunnel. PEAP always tunnels EAP. That tunnelled 
EAP is the one that does authentication.

If TLS session resumption is enabled, then an abbreviated TLS handshake 
that PEAP does is enough. However, resumption can only happen if full 
tunnelled EAP method has succeeded first.

EAP-MSCHAP-V2 is usable by itself too. Some VPN clients, for example, 
can use it without PEAP. PEAP is used with Wi-Fi to ensure MSCHAPv2 
content can not be monitored by an eavesdropper. CHAP and its 
derivatives need a protection.

EAP-MSCHAP-V2 encapsulates MSCHAPv2, therefore it's possible to convert 
it to a request that looks like it's MSCHAPv2 over RADIUS.

Username rewrite is possible with AuthBy NTLM and AuthBy LSA, but it 
needs to be done with NtlmRewriteHook or LSARewriteHook within their 
respective AuthBy clauses. The MSCHAP algorithm must run first with 
unmodified username, because it's part of calculation, and the results 
are then passed to Windows for authentication.

At this point the username is needed just to lookup password hash 
material within Windows. In other words, a rewritten username can be 
passed to Windows.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list