MSCHAPv2 AD Password + Token

Hi,

I tried this setup and was working on PAP as per radtest, but fails on an actual Windows client with default settings with MSChapv2.

I would like to start a discussion about this in a hope of finding materials on its possibility.

I am organizing my configurations and documentation on this effort and will try to post them here.

Thanks,

Comments

  • edited February 2016
    Hello, MSCHAPv2 with AD password cannot work, because MSCHAPv2 will create a hash based on  the AD password AND the token. When arriving on the multiOTP server, it's just impossible to separate again the password and the token from the hash!

    For evident security issues, the AD password is never stored in clear text on the multiOTP side, and therefore it's not possible to try to create different MSCHAPv2 hashes with the local stored AD password and one of the exptec token.

    If you want to do MSCHAPv2 authentication, you have to use the PIN/internal password + token.

    Best regards,

    Andre
  • Here is a link of the same issue that I am encountering with this setup -

    http://serverfault.com/questions/697304/multiotp-freeradius-ms-active-directory

    I commented on the post in the form of a quick answer as my previous post are being deleted. Not sure if I am really correct with that conclusion.
  • Thanks, Andre, this verifies my observation.
  • Hi Andre,
    With PIN + Token, is things not the same case in MSCHAPv2? Will MultiOTP take care of generating the hash that will be compared to the one coming from Client login?

  • With PIN + token, it's different, as the PIN is known by multiOTP, so it can calculate the different [PIN + token] hashes that can be accepted,
  • edited March 2017
    Instead of:

        Username: username
        Password: [password] + [OTP]

    You can now use:

        Username: username:OTP
        Password: password

    Example for username = john, password = myBigPassword, OTP = 123456

        Username: john:123456
        Password: myBigPassword

    As the OTP change all the time, it's totally secure (BUT with MS-CHAPv2, we will still not be able to check the authentication on a AD/LDAP server)

    Any feedback welcome

    Andre
  • edited January 2017
    Hi, Can you explain how setup this? We want use AD authentication+OTP with AD password: example: test:166052 multiotp 5.0.3.3-beta-8 Your script is running from C:\Admin\multiotp\windows\ 2017-01-18 17:38:38 debug Debug Debug: *parameter(s) received: -base-dir=C:/Admin/multiotp/window s/ -keep-local -log -debug test:166052 -src=192.168.1.141 -chap-challenge= -chap-password= -ms-chap-challenge=0 x5bb2106ac4b03d9f -ms-chap-response=0x000100000000000000000000000000000000000000000000000089fe9e1acc42370958fcfd0 d8cb655dacba395f546aca7e7 -ms-chap2-response= from 192.168.1.141 2017-01-18 17:38:38 warning System Error: database file C:\Admin\multiotp\windows\users\test:16605 2.db for user test:166052 does not exist from 192.168.1.141 2017-01-18 17:38:38 debug Debug Debug: *21 ERROR: User doesn't exist from 192.168.1.141 How does multiotp recognize ":OTP" from username?
  • Hello, we are investigating. We will keep you posted as soon as possible. Have a nice day
  • Hi YannJ, thanks. I waiting for info.
  • Hello, Unfortunately, we cannot re-use the MSCHAPv2 to authenticate against the AD using LDAP/AD, as MSCHAPv2 doesn't contains a hash of the password, but a hash (calculate using the password) of a dynamic negotiated content. Regards, Andre
  • An ugly hack could be to simulate a DC server on the multiOTP server, and therefore, we could receive the NTLM hash of any users, and we could use them to compare the MSCHAPv2 result, but it's really not very clean. Regards
This discussion has been closed.