Skip to main content
Skip table of contents

MSCHAPv2

Starting release 3.4 MSCHAPv2 protocol was integrated in the VeridiumID Freeradius module. The module enables support for using PUSH or OTP authentication methods.

Compared to the other protocols (chap or pap), in order to activate PUSH authentication method, the provided user input should be push.

Modes supported:

  • MSCHAPv2

  • EAP-MSCHAPv2

  • PEAP-MSCHAPv2

Configuration

MSCHAPv2

This method is configured out of the box starting version 3.4.

The configuration steps listed bellow should only be followed to validate or create a custom configuration.

  1. Edit the /opt/veridiumid/freeradius/etc/raddb/sites-enabled/default

  2. Remove the mschap from authenticate and authorize sections.

  3. Update the Auth-Type MSCHAP block with:

    CODE
    Auth-Type MSCHAP {
      rest_orchestrator
    } 

EAP-MSCHAPv2

The steps from MSCHAPv2 configuration are required as prerequisites. Follow the next steps aftwerwards:

  1. Edit /opt/veridiumid/freeradius/etc/raddb/mods-enabled/eap and update eap.default_eap_type to mschapv2.

    CODE
    eap {
        ...
        default_eap_type = mschapv2
        ...
    }

PEAP-MSCHAPV2

This method is configured out of the box starting version 3.4, and only certificates in /opt/veridiumid/freeradius/etc/raddb/certs should be updated with valid CA and valid Radius Server certificate.

The steps from MSCHAPv2 configuration are required as prerequisites. Follow the next steps afterwards:

  1. Edit /opt/veridiumid/freeradius/etc/raddb/mods-enabled/eap and update eap.default_eap_type to peap and eap.peap.default_eap_type to mschapv2.

    CODE
    eap {
        ...
        default_eap_type = peap
        ...
        
        peap {
            ...
            default_eap_type = mschapv2
            ...
        }
    }
  2. Make sure the certificates are properly configured in /opt/veridiumid/freeradius/etc/raddb/certs/. The default TLS configuration is managed in the /opt/veridiuid/freeradius/etc/raddb/mods-enabled/eap in the tls-config tls-common block.

Radius Authentication method - Orchestration Matrix

The main difference between the other Radius authentication protocols, on MSCHAPv2 we can no longer relay on the password length or format.

Authentication Method

Input expected

Behavior

none

N/A

Authentication refused

PUSH

“push“

A push is sent to device and trigger

PIN + OTP Code

any passphrase distinct from the reserved value (“push“)

  • Accepted - pin + totp is correct

  • Rejected - pin + totp is incorect

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.