Skip to main content
Skip table of contents

MSCHAPv2

In the latest version MSCHAPv2 protocol is available in the VeridiumID Freeradius module. The module enables support for using PUSH or OTP authentication methods.

Compared to the other protocols (chap or pap), in order to activate PUSH authentication method, the provided user input should be push.

Modes supported:

  • MSCHAPv2

  • EAP-MSCHAPv2

  • PEAP-MSCHAPv2

Configuration

MSCHAP MPPE Policy

The MPPE policy may be configured from the Veridium Manager:

  1. Navigate to Settings / Advanced / freeradiusconfig.json

  2. Update the mschap_mppe_policy value that uses a bitmask as follows:

    1. The 1st bit controls the MPPE key creation

    2. The 2nd bit controls the Encryption policy (required or optional)

    3. The 3rd bit controls the Encryption methods (allow 128-bit or 56-bit encryption using RC4)

mschap_mppe_policy

0x000

No MS-MPPE-Recv-Key/MS-MPPE-Send-Key are created

0x001

MS-MPPE-Recv-Key/MS-MPPE-Send-Key keys are created and the encryption is optional

0x011

MS-MPPE-Recv-Key/MS-MPPE-Send-Key keys are created and the encryption is required.

0x111

Enforces encryption using 128-bit, otherwise 56-bit encryption is also allowed

https://www.rfc-editor.org/rfc/rfc2548

MSCHAPv2

This method is configured out of the box from previous version

The configuration steps listed bellow should only be followed to validate or create a custom configuration.

  1. Edit the /opt/veridiumid/freeradius/etc/raddb/sites-enabled/default

  2. Remove the mschap from authenticate and authorize sections.

  3. Update the Auth-Type MSCHAP block with:

    CODE
    Auth-Type MSCHAP {
      rest_orchestrator
    } 

EAP-MSCHAPv2

The steps from MSCHAPv2 configuration are required as prerequisites. Follow the next steps aftwerwards:

  1. Edit /opt/veridiumid/freeradius/etc/raddb/mods-enabled/eap and update eap.default_eap_type to mschapv2.

    CODE
    eap {
        ...
        default_eap_type = mschapv2
        ...
    }

PEAP-MSCHAPV2

This method is configured out of the box from previous version, and only certificates in /opt/veridiumid/freeradius/etc/raddb/certs should be updated with valid CA and valid Radius Server certificate.

The steps from MSCHAPv2 configuration are required as prerequisites. Follow the next steps afterwards:

  1. Edit /opt/veridiumid/freeradius/etc/raddb/mods-enabled/eap and update eap.default_eap_type to peap and eap.peap.default_eap_type to mschapv2.

    CODE
    eap {
        ...
        default_eap_type = peap
        ...
        
        peap {
            ...
            default_eap_type = mschapv2
            ...
        }
    }
  2. Make sure the certificates are properly configured in /opt/veridiumid/freeradius/etc/raddb/certs/. The default TLS configuration is managed in the /opt/veridiuid/freeradius/etc/raddb/mods-enabled/eap in the tls-config tls-common block.

Optional for specific veridium customers

  1. /opt/veridiuid/freeradius/etc/raddb/mods-enabled/default introduce attribute filter based on groups

image-20240201-123652.png

example for group filter https://deangrant.me/2014/02/07/freeradius-forward-filter-id-as-a-variable-to-post-authentication/

Radius Authentication method - Orchestration Matrix

The main difference between the other Radius authentication protocols, on MSCHAPv2 we can no longer relay on the password length or format.

Authentication Method

Input expected

Behavior

none

N/A

Authentication refused

PUSH

“push“

A push is sent to device and trigger

PIN + OTP Code

any passphrase distinct from the reserved value (“push“)

  • Accepted - pin + totp is correct

  • Rejected - pin + totp is incorrect

PIN + TOTP

PIN validation requires unsafe storage to be enabled for MSCHAP login validation when PIN + OTP authentication method is used. The PIN is stored in the database

  1. Navigate to Orchestrator / Authentication / Methods

  2. Edit PIN authentication method

  3. Enable “Allow Unsafe Storage'

Enrolled users must reset PIN from Self Service Portal or Mobile Application to activate this feature on their identity.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.