From user-return-5891-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Mon Apr 22 03:29:12 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1A3C1180658 for ; Mon, 22 Apr 2019 05:29:11 +0200 (CEST) Received: (qmail 64391 invoked by uid 500); 22 Apr 2019 03:29:11 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 64373 invoked by uid 99); 22 Apr 2019 03:29:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Apr 2019 03:29:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 53383181000 for ; Mon, 22 Apr 2019 03:29:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.233 X-Spam-Level: *** X-Spam-Status: No, score=3.233 tagged_above=-999 required=6.31 tests=[KAM_LIVE=1, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_FAIL=0.919, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.313] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id nmNjwoONm2p7 for ; Mon, 22 Apr 2019 03:29:08 +0000 (UTC) Received: from n4.nabble.com (n4.nabble.com [199.38.86.66]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id DD22E5F3AA for ; Mon, 22 Apr 2019 03:19:32 +0000 (UTC) Received: from n4.nabble.com (localhost [127.0.0.1]) by n4.nabble.com (Postfix) with ESMTP id 6FEAF7548265 for ; Sun, 21 Apr 2019 22:19:32 -0500 (CDT) Date: Sun, 21 Apr 2019 22:19:32 -0500 (CDT) From: drhy To: user@guacamole.apache.org Message-ID: <1555903172456-0.post@n4.nabble.com> In-Reply-To: <1555888087354-0.post@n4.nabble.com> References: <1555888087354-0.post@n4.nabble.com> Subject: Re: Guacamole+Radius+Eap-tls MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi Kamal, As I mention, Microsoft Network Policy Server (NPS) seems to want some type of CHAP in almost almost all of the Radius Requests, except PAP. CHAP, MS-CHAP and MS-CHAPv2 have been attacked: https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/ http://itsecgames.blogspot.com/2012/09/attacking-ms-chap-v2.html They all use MD4, which has also been attacked and has now been "retired" as a standard": https://tools.ietf.org/html/rfc6150 However, as you have also commented, NPS's more secure EAP-TLS protocol still needs to tunnel CHAP and MD4. I found this: https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/classes/sun/security/provider/MD4.java It would be useful for MD4.java to be included in the Radius Authentication Provider to support secure communication with NPS, but I don't know how to. In the meantime I'm using CentOS's built-in IPsec and the Windows Server L2TP/IPsec capability. https://www.thomasmaurer.ch/2018/05/how-to-install-vpn-on-windows-server-2019/ https://www.myip.io/how-to-details/configure-l2tp-centos and/or http://spottedhyena.co.uk/centos-67-ipsecl2tp-vpn-client-unifi-usg-l2tp-server/ -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/