MSCHAPv2 AD Password + Token
Hi,
I tried this setup and was working on PAP as per radtest, but fails on an actual Windows client with default settings with MSChapv2.
I would like to start a discussion about this in a hope of finding materials on its possibility.
I am organizing my configurations and documentation on this effort and will try to post them here.
Thanks,
I tried this setup and was working on PAP as per radtest, but fails on an actual Windows client with default settings with MSChapv2.
I would like to start a discussion about this in a hope of finding materials on its possibility.
I am organizing my configurations and documentation on this effort and will try to post them here.
Thanks,
This discussion has been closed.
Comments
For evident security issues, the AD password is never stored in clear text on the multiOTP side, and therefore it's not possible to try to create different MSCHAPv2 hashes with the local stored AD password and one of the exptec token.
If you want to do MSCHAPv2 authentication, you have to use the PIN/internal password + token.
Best regards,
Andre
http://serverfault.com/questions/697304/multiotp-freeradius-ms-active-directory
I commented on the post in the form of a quick answer as my previous post are being deleted. Not sure if I am really correct with that conclusion.
With PIN + Token, is things not the same case in MSCHAPv2? Will MultiOTP take care of generating the hash that will be compared to the one coming from Client login?
Username: username
Password: [password] + [OTP]
You can now use:
Username: username:OTP
Password: password
Example for username = john, password = myBigPassword, OTP = 123456
Username: john:123456
Password: myBigPassword
As the OTP change all the time, it's totally secure (BUT with MS-CHAPv2, we will still not be able to check the authentication on a AD/LDAP server)
Any feedback welcome
Andre