EAP-TTLS with EAP-MSCHAP2 not working with eapol-test #1206

Closed
AlexanderS opened this Issue Sep 2, 2015 · 14 comments

Projects

None yet

5 participants

@AlexanderS

Hi,

using EAP-TTLS with EAP-MSCHAP2 as phase2 method currently does not work with use_tunneled_reply (at least with eapol-test). The issue is, that the response contains two MS-MPPE-*-Key pairs and eapol-test chooses the wrong one. The code at src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c does only remove the MS-MPPE-Keys if it find a PW_MSCHAP2_SUCCESS message in the response. But if the phase2 uses EAP-MSCHAP2 there is only an EAP response. There is already a FIXME in line 681 referencing EAP-MSCHAP2.

Maybe the EAP-TTLS code should drop the MS-MPPE-Keys in all cases if use_tunneled_reply is set. (The EAP-PEAP code already does something like that: src/modules/rlm_eap/types/rlm_eap_peap/peap.c).

Thanks,
Alex

@alandekok alandekok closed this in 1a3c629 Sep 2, 2015
@AlexanderS

I think the 2.x branch also requires a similar fix.

@arr2036
Member
arr2036 commented Sep 9, 2015

Is it a security issue?

@alandekok
Member

It's a usability one. Without the fix, TTLS + EAP-MSCHAPv2 won't work at all. For me, that's a critical piece of functionality which should work.

@arr2036
Member
arr2036 commented Sep 9, 2015

Then people should upgrade to v3.0.9

@arr2036
Member
arr2036 commented Sep 9, 2015

What's the advantage of TTLS-EAP-MSCHAPv2 over TTLS-PAP?

@arr2036
Member
arr2036 commented Sep 9, 2015

Security? Nope, compatibility? Nope. I guess it allows SoH...?

@alandekok
Member

It's a piece of core functionality. The fix is ~8 lines.

@ruyrybeyro

Hi Arran,

Better compatibility with iThings for instance, and better support and
easier to setup for people who connects to ADs for authentication.

On 9 September 2015 at 13:54, Arran Cudbard-Bell notifications@github.com
wrote:

What's the advantage of TTLS-EAP-MSCHAPv2 over TTLS-PAP?


Reply to this email directly or view it on GitHub
#1206 (comment)
.

Regards,

Rui Ribeiro
Senior Sysadm
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434

@arr2036
Member
arr2036 commented Sep 9, 2015

iThings work just fine with TTLS-PAP, and doing cleartext binds against LDAP is faster and more scalable than using wbclient or ntlm_auth_helper.

@alanbuxey
Member

yes....but many sites use MSCHAPv2 rather than PAP - and for a reasonable
reason too - eg if they are using a public CA for their clients, ANYONE can
get a cert from the same CA and spoof their AP... with MSCHAPv2 you've got
some cloud cracking to do as well...with PAP - well, its game over :/

On 9 September 2015 at 15:47, Arran Cudbard-Bell notifications@github.com
wrote:

iThings work just fine with TTLS-PAP, and doing cleartext binds against
LDAP is infinitely faster and more scalable than using wbclient or
ntlm_auth_helper.


Reply to this email directly or view it on GitHub
#1206 (comment)
.

@arr2036
Member
arr2036 commented Sep 9, 2015

So it's not really a reasonable reason, it's the illusion of security which isn't.

@arr2036
Member
arr2036 commented Sep 9, 2015

Just like Mac-Auth - hshhshshhshshh :)

@alanbuxey
Member

yes but it costs money and takes more effort. PAP is password on a plate
with badly configured clients. obv. EAP-TLS or EAP-PWD is the way to go :)

On 9 September 2015 at 21:34, Arran Cudbard-Bell notifications@github.com
wrote:

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ less
than a day in 2012...


Reply to this email directly or view it on GitHub
#1206 (comment)
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment