guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From drhy <dyo...@huntergroup.co.nz>
Subject Re: Guacamole+Radius+Eap-tls
Date Mon, 22 Apr 2019 03:19:32 GMT
Hi Kamal,

As I mention, Microsoft Network Policy Server (NPS) seems to want some type
of CHAP in almost almost all of the Radius Requests, except PAP. CHAP,
MS-CHAP and MS-CHAPv2 have been attacked:
https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/
http://itsecgames.blogspot.com/2012/09/attacking-ms-chap-v2.html

They all use MD4, which has also been attacked and has now been "retired" as
a standard":
https://tools.ietf.org/html/rfc6150

However, as you have also commented, NPS's more secure EAP-TLS protocol
still needs to tunnel CHAP and MD4. I found this:
https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/classes/sun/security/provider/MD4.java
It would be useful for MD4.java to be included in the Radius Authentication
Provider to support secure communication with NPS, but I don't know how to.

In the meantime I'm using CentOS's built-in IPsec and the Windows Server
L2TP/IPsec capability.
https://www.thomasmaurer.ch/2018/05/how-to-install-vpn-on-windows-server-2019/
https://www.myip.io/how-to-details/configure-l2tp-centos
and/or
http://spottedhyena.co.uk/centos-67-ipsecl2tp-vpn-client-unifi-usg-l2tp-server/

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message