guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Guacamole+Radius+Eap-tls
Date Mon, 22 Apr 2019 14:04:42 GMT
On Sun, Apr 21, 2019 at 7:08 PM drhy <dyoung@huntergroup.co.nz> wrote:

> Hi Nick,
>
> I've extensively tested the communications between the Windows Server
> Network Policy Server and the Guacamole RADIUS module on CentOS using:
> CentOS Minimal ISO, release 7.6.1810 (Core)
> Java 1.8.0 (java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64)
> Tomcat 8.5.38
> gcc compiler version 7.3.0
> (in more detail:
>
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-1-0-0-with-Radius-and-MySQL-Step-by-step-for-Linux-newbies-td4748.html
> )
>
> In this environment the only successful authentication combination I've
> been
> able to get working between the RADIUS module and Windows Server Network
> Policy Server is PAP. In the catalina.out log the other combinations show
> either  authentication failed messages or internal error messages, and
> sometimes an MD4 not available message.
>
> MD4 seems to be required for CHAP, MSCHAPv1 and MSCHAPv2. In addition, it
> appears that the more secure compound tunnels that NPS uses (for example,
> EAP-TLS) all still need CHAP in one form or another. MD4 is no longer
> included in the JDK hence anything requiring a variation of CHAP fails.
>

As far as I can tell, MD4 is not required for plain (non-MS) CHAP.  This is
according to the JRadius code that I'm using to implement the RADIUS
authentication provider.  It should only be required for MS-CHAP v1 and
v2.  Based on the code in the repo, the only thing that MD4 is used for in
MS-CHAP is hashing the NT password.  CHAP should still work fine without
MD4.

Also, as Kamal mentions, I've submitted a pull request to correct this:
https://github.com/apache/guacamole-client/pull/392

This should be corrected in the master branch before too long.  You can
test per my previous instructions - if you're able to that would be great,
as I don't have a RADIUS server supporting MS-CHAP available, so it's hard
for me to verify it works.  Sounds like Kamal has tested it successfully,
but with a previous version of the changes, so testing on the most recent
version would be great.

Also, as I've mentioned before, from a security perspective, MS-CHAP (with
MD4) may be more secure than plain text, but the reason MD4 was removed
from Java is because MD4 is not secure - it can be relatively easily
cracked (https://en.wikipedia.org/wiki/MD4#Security - "in a few
microseconds").  So, if security is of any reasonable concern to you
between Guacamole and your RADIUS server, I would not rely upon MS-CHAP - I
would use EAP-TLS or EAP-TTLS.  PEAP might be acceptable, too, but there's
a bug in JRadius that has not been addressed, yet, that renders PEAP
useless, so it currently will not work.

-Nick

Mime
View raw message