5

I'm building a RADIUS Server to work with MS-CHAPv2 in node.js. I have a RADIUS CLient, which is the VPN Server that sends me the following in an Access-Request:

User-Name

MS-CHAP-Challenge

MS-CHAP2-Response

I tested with an actual Microsoft RADIUS server and the Access-Accept response is always with the following:

MS-MPPE-RECV-KEY: Long string

MS-MPPE-SEND-KEY: Long string

MS-CHAP2-SUCESS: Long string

I tried following the RFC material, but it's very complicated and i just need to understand:

  1. What i'm supposed to do with the Access-Request attributes(challenge&Response) as a Server?

  2. How am i supposed to create the 3 keys in the Access-Accept?

I've read many articles and places, including pentesting examples.

Some said there's a use of RC4,3DES, MD4, MD5, SHA1 and i don't know which to follow since it only gives 2-3 lines of explaining.

What is encrypted? How do i authenticate the user? Am i supposed to create a hash duplicate of the Challenge/Response cause it contains MD4&3DES encrypted password?

Assistance please....

user3099645
  • 101
  • 7
  • Try to ask only one question in each stackoverflow question, otherwise it is too hard to answer everything at once and the title is also a little too broad. Try to include *exactly* where you got stuck in the RFC and/or other explanations. – xuiqzy Jun 12 '21 at 14:04

1 Answers1

-1

building a radius server is very complicated,

What i'm supposed to do with the Access-Request attributes(challenge&Response) as a Server?

the server needs to response to the client request, ask to do handshake, creat ssl tunnel, ask for identification and so on.

How am i supposed to create the 3 keys in the Access-Accept?

the ms-mppe keys are generate with datas from the handshaking and authenticating process, and its very complicated too, have to do a lot of calculating and encrypting, a way more complicate than just using rc4, 3des, md4...

What is encrypted? How do i authenticate the user? Am i supposed to create a hash duplicate of the Challenge/Response cause it contains MD4&3DES encrypted password?

if using ssl, everything is encrypted from change cipher Spec to access-accept. to authenticate the user, you have to compare the client supplied data and your database, and at the end send an access-accept to the NAS. depends on which authentication method to use, the password is a lot more complicated than just encrypted with md4 & 3des. if using ms-chapv2 for example, have to hash a fewe times with some other datas.

YanXi
  • 161
  • 1
  • 9