9

Can't find any flowcharts on how communication works between peers. I know how it works in Radius with PAP enabled, but it appears that with MS-Chapv2 there's a whole lot of work to be developed.

I'm trying to develop a RADIUS server to receive and authenticate user requests. Please help me in the form of Information not code.

QuantumMechanic
  • 13,795
  • 4
  • 45
  • 66

3 Answers3

17

MSCHAPv2 is pretty complicated and is typically performed within another EAP method such as EAP-TLS, EAP-TTLS or PEAP. These outer methods encrypt the MSCHAPv2 exchange using TLS. The figure below for example, shows a PEAP flowchart where a client or supplicant establishes a TLS tunnel with the RADIUS server (the Authentication Server) and performs the MSCHAPv2 exchange.

enter image description here

The MSCHAPv2 exchange itself can be summarized as follows:

  • The AS starts by generating a 16-byte random server challenge and sends it to the Supplicant.
  • The Supplicant also generates a random 16-byte peer challenge. Then the challenge response is calculated based on the user's password. This challenge response is transmitted back to the AS, along with the peer challenge.
  • The AS checks the challenge response.
  • The AS calculates a peer challenge response based on the password and peer challenge.
  • The Supplicant checks the peer challenge response, completing the MSCHAPv2 authentication.

If you'd like to learn about the details and precise calculations involved, feel free to check out my thesis here. Sections 4.5.4 and 4.5.3 should contain all information you need in order to implement a RADIUS server capable of performing an MSCHAP exchange.

As you can see in the figure, many different keys are derived and used. This document provides a very untuitive insight into their functionality. However, the CSK is not explained in this document. This key is optionally used for "cryptobinding", i.e. in order to prove to the AS that both the TLS tunnel and MSCHAPv2 exchange were performed by the same peer. It is possible to derive the MSK from only the TLS master secret, but then you will be vulnerable to a relay attack (the thesis also contains a research paper which gives an example of such an attack).

Finally, the asleap readme gives another good and general step by step description of the MSCHAPv2 protocol, which might help you further.

red
  • 833
  • 1
  • 7
  • 13
  • You are amayzing thank you for all of that. I've been looking for such a flowchart for very long time, i'm only familiar with RADIUS PAP and wrote code to support that with Access-Requests and Challenge. MSCHAP seemed very complicated and my node.js library doesn't support it so i'm basicly stuck creating something from scratch. I'm sorry for my noobiness, but: CSK&PMK&MSK&AS=? Is the entire process done with the RADIUS Server or with the tunnel and 3 way handshake is done with the NAS and then authentication with the server? I guess what i'm trying to do is simplify it to noob terms –  May 19 '15 at 10:29
  • such as in PAP: Access-Request -> Access-Reject/Accept/Challenge. As far as i can tell,MSCHAPv2: Access-Request(Without password),sends 2 new lines: MS-CHAP-Challenge: string of some kind, guessing it's a key. MS-CHAP2-Response: longer string of some kind...guessing it's the encrypted password. Then i'm supposed to decrypt it using my shared secret and the CHAP-Challenge and based on checking with the user-db if the password correct i send back Accept/Reject. Is that how it works? I'm really sorry, i've read the RFC and other sites so many times and i'm desperate to hear some light –  May 19 '15 at 10:32
  • But i do appreciate your time and help –  May 19 '15 at 10:33
  • Your thesis looks very impressive, i had my fun pentesting wifi back in the day –  May 19 '15 at 10:42
  • Thanks, I'm happy to hear that! I will answer the remainder of your questions in my updated answer. – red May 19 '15 at 11:51
  • Answer updated :). Feel free to let me know if anything is unclear. – red May 19 '15 at 12:32
  • Using what you wrote combined with the brief description from this site: https://technet.microsoft.com/en-us/library/cc957983.aspx I'm uncertain about the following: In my scenario there's a Supplicant, a NAS(Form of SSL-VPN portal that receives the UN&PW from the supplicant) and an AS which is me. In my lab enviorment, when i put in the UN&PW and check wireshark i can see that i already receive the MS-CHAP-Response & MS-CHAP2-Challenge which look like stage 3 in the link i added(or stage 3&4 in yours). How can that be? Am i not supposed to be the one who starts the process? –  May 19 '15 at 12:54
  • If i'm right, and that is indeed stage 3&4 all i have left now is to decrypt the Challenge using the RADIUS shared secret and check that its identical to the password in my DB. Based on the result i send Success/Failure messages back and i'm done. Am i wrong? –  May 19 '15 at 12:56
  • The supplicant can only calculate the challenge response based on a challenge, so you should see it in Wireshark. Can you be a bit more specific about your setup? Concerning your second comment: I don't think it is a good idea to try to decrypt the challenge response, check the FreeRADIUS source to be sure. If I recall correctly they perform an identical encryption of the challenge (i.e. by using the user's credentials) and compare the resulting challenge response with the received challenge response. – red May 19 '15 at 22:13
  • In your diagram and in your text here (and in RFC2759) it talks about the AS starting the auth sequence by sending a challenge to the NAS, which then sends the access request and finally receives an accept or reject for a total of 3 packets. But when I set up my RADIUS NAS and server to use "bare" MS-CHAPv2 (i.e. not in any outer protocol) and fire up Wireshark I only see an `Access-Request` (with the MS-CHAPv2 attributes) and an `Access-Accept` (with `MS-CHAP2-Success` attribute) or `Access-Reject` with `MS-CHAP-Error` attribute. Either way, only *two* packets. So what's going on? – QuantumMechanic Dec 21 '16 at 15:26
1

Unfortunately i can't add anymore comments, the demand is for me to have 50 reputation.

To your request: My lab enviorment is of SSL-VPN used with AS of RADIUS. Constructed with the following 3 items:

  1. End-User -> there's no 'client' installed, the connection starts through a web portal. client = web browser

  2. NAS -> This is the machine that provides the web-portal(the place the End-User enters the Username & Password) AND acts as a RADIUS CLient, transfering requests to the AS.

  3. AS(RADIUS) -> This is me. I receive the access-requests and validate the username & password.

So in accordance with that, what i receive in the Access-Request is:

MS-CHAP2-Response: 7d00995134e04768014856243ebad1136e3f00000000000000005a7d2e6888dd31963e220fa0b700b71e07644437bd9c9e09

MS-CHAP-Challenge: 838577fcbd20e293d7b06029f8b1cd0b

According to RFC2548:

  • MS-CHAP-Challenge This Attribute contains the challenge sent by a NAS to a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user. It MAY be used in both Access-Request and Access-Challenge packets.

  • MS-CHAP2-Response This Attribute contains the response value provided by an MS- CHAP-V2 peer in response to the challenge. It is only used in Access-Request packets.

If i understand correctly, and please be calm this is all very new to me, based on your flowchart the AS is also the Authenticator who inits the LCP. And in my case, the LCP is initiated by the NAS, So my life made simple and i only get the Access-Request without needing to create the tunnel.

My question now is, how do i decrypt the password? I understood there's a random challenge 16-byte key but that is held by the NAS.

From my recollection, i only need to know the shared secret and decrypt the whole thing using the algorithem described in your thesis.

But the algorithem is huge, i've tried different sites to see which part of it the AS supposed to use and failed in each attempt to decrypt. Since i can't ask for help anymore in this thread, i can only say this little textbox cannot fill the amount of gratitude i have for your help, truely lucky to have you see my thread.

Do email me, my contact info are in my profile. Also, for some reason i can't mark your answer as a solution.

Shaul
  • 211
  • 1
  • 4
  • 18
  • In my flowchart, the NAS (Authenticator) and RADIUS server (AS) are applications running on the same machine. I did this to hide the access request and access challenge packets. In essence, the Authenticator only relays messages to the AS and does not perform any authentication related tasks by itself. If you find this confusing perhaps this flowchart will help you: https://documentation.meraki.com/@api/deki/files/1597/=fecfbf3c-50e7-4261-9945-8bfc525e9bfc?revision=1 – red May 21 '15 at 14:27
  • 1
    Then for you second question: if I understand correctly, you want to decrypt the user's password on the Authenticator? It's been a while since my thesis, but I don't think that is possible, since the TLS tunnel is setup between the supplicant and the AS. As a man-in-the-middle, you cannot decrypt the password there. What you can do is decrypt the MPPE keys, which are encrypted with the shared secret between AS and Authenticator. The Authenticator needs knowledge of the MPPE keys because that's what it will use to communicate, but it should not be able to intercept the user's credentials. – red May 21 '15 at 14:30
0

"is typically performed within another EAP method such as EAP-TLS, EAP-TTLS or PEAP."

Well... RADIUS win2008 server here, configured to NO EAP, only MS-CHAPv2 encryption, to replace the PAP.

This is why alot of what you said and what i said wasn't adding up... I'm not MITM, i'm the AS, and my NAS(the one who knocks) is the RADIUS_Client/Authenticator.

When the user enters UN&PW a random encryption, which i'm now on the look for, is created with MS-CHAPv2 and all of the above is irrelevant.

With the items received from the Authenticator which again are: - Username, MS-CHAP-Challenge, MS-CHAP2-Response

The AS performs a magical ceremony to come up with the following: -Access-Accept

-MPPE-Send-Key

-MPPE-Recv-Key

-MS-CHAP2-Sucess

-MS-CHAP-DOMAIN

This is from a working scenario, where i have a RADIUS server, a radius client and a user.

A NOT working scenario, is the one where i am the RADIUS Server(AS), cause that's my goal, building a RADIUS server, not MITM. So all i got left is finding out what decryption algorithem needed for those and how.

user3099645
  • 101
  • 7