search

pyradius / pyrad

Python RADIUS Implementation
BSD 3-Clause "New" or "Revised" License
294 stars 187 forks source link

Add support for EAP/PEAP/MSCHAP auth #40

Open ghost opened 7 years ago

ghost commented 7 years ago

Please add support for EAP/PEAP/MSCHAP authorization. PAP is not suitable since it sends plaintext passwords.

peppelinux commented 7 years ago

I'm going to face the same problem, Auth-type CHAP means to let the sysadmins to read cleartext password in /var/log/freeradius/radius.log if the radius configuration have auth_goodpass and auth_badpass configured to true.

We really need to introduce PEAP o, at least MSCHAP. CHAP is unusable in production environment.

ccsalway commented 6 years ago

Can the following URL be used to jumpstart EAP support

https://w1.fi/cgit/hostap/plain/tests/hwsim/test_eap_proto.py

csib commented 5 years ago

+1 for MSCHAPv2 I think it's really needed in 2019 PAP is so weak and Windows 10 cant access to set encyption if PAP is enabled only.

kumar35959 commented 4 years ago

+1 for EAP/PEAP/MSCHAP

mneitsabes commented 3 years ago

Here is my Python implementation for EAP-MSCHAPv2 only, maybe it can help : https://github.com/mneitsabes/RADIUS-EAP-MSCHAPv2-Python-client

noziwatele commented 3 years ago

+1 for EAP/PEAP/MSCHAP :)

adiroiban commented 3 years ago

If it helps, this is my CHAP / MS-CHAP / MS-CHAP-v2 code written in Python 2.7 and Twisted:

https://gist.github.com/adiroiban/59eb28cf767aec9535fda8ac1162401f

It uses the radius.py library and not pyrad but I think that it can help with documenting the format of the message.

There is no EAP/PEAP tunneling there.

I hope this can help understand how the messages should be formatted.

I had a hard time reading all the PPP and RADIUS RFC to see how to format the messages ... but it was easier than reading the freeradius C code :)

I plan to migrate my code to pyrad ... but I don't know when.

I am testing it using a freeradius docker... and it's super fast after removing the delay on failure. The gist has some freeradius configs, let me know if you need more info about the docker testing fixture.

# Remove the delay on failure.
# This is only used for testing so we don't want any delays.
sed -i 'Ns/.*reject_delay = .*/    reject_delay = 0/' /etc/raddb/radiusd.conf
momentforever commented 1 year ago

I tried to connect to Raidus using MS-CHAPv2 by adding MS-CHAP-Challenge and MS-CHAP2-Response to the request, but it ultimately failed.

# ...
  req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
                             User_Name=username)
  req.AddAttribute("MS-CHAP-Challenge", b'\x00' * 8)
  req.AddAttribute("MS-CHAP2-Response", b'\x00' + struct.pack('<B', len(passwd)) + passwd.encode() + b'\x00' * 24)
# ...