cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling MS CHAP V2 in PingDirectory

SOLVED
Go to Solution
UnboundID PaulRaposo
UnboundID
0 Kudos

Enabling MS CHAP V2 in PingDirectory

One of our clients, Perrigo, wants to enable MS CHAP V2 in PingDirectory for CISCO ISE. They have assigned the privilege permit-proxied-mschapv2-details to a user, but are not sure what else needs to be done to enable it. There doesn’t seem to be any more information on the subject in the PingDirectory Admin Guide.

 

Has anyone enabled this in PingDirectory or can anyone point me to where I can get more information?

Thanks in advance.

 

Paul

5 REPLIES
UnboundID NeilW
UnboundID
0 Kudos

Re: Enabling MS CHAP V2 in PingDirectory

The Configuration Reference Guide (docs/config-guide) provides a brief summary of the requirements at the top of the “UnboundID Ms Chap V2 SASL Mechanism Handler” page, but the best documentation is in the Javadoc for the UNBOUNDID-MS-CHAP-V2 client library, which is needed to develop applications that interact with the server via MS-CHAPv2 through the Simple Authentication and Security Layer. The class-level documentation for the com.unboundid.directory.server.extensions.mschapv2.client.UnboundIDMSCHAPV2BindRequest class provides a detailed outline of what you need to do to set it up, the process for interacting with the server via this SASL mechanism, and some example code that demonstrates the process. Further, the class-level documentation for the com.unboundid.directory.server.extensions.mschapv2.client.MSCHAPV2Processor class provides a pretty detailed description of how MS-CHAPv2 works.

UnboundID PaulRaposo
UnboundID
0 Kudos

Re: Enabling MS CHAP V2 in PingDirectory

Thank you, Neil!

Paul

UnboundID PaulRaposo
UnboundID
0 Kudos

Re: Enabling MS CHAP V2 in PingDirectory

Follow-up question:

 

The client is asking if EAP-MSCHAPv2 is supported? Based on my limited knowledge, EAP is an authentication framework that defines the transport and usage of identity credentials and EAP-MSCHAPv2 is the method within EAP that the credentials are sent to the server encrypted within an MSCHAPv2 session. The client is looking for a way to use password hashes and thinks EAP-MSCHAPv2 will facilitate that, but it appears that both PingDirectory and EAP-MSCHAPv2 support encrypted passwords.

 

Just a sanity check, I guess.

 

UnboundID NeilW
UnboundID
0 Kudos
Solution

Re: Enabling MS CHAP V2 in PingDirectory

We do not support EAP-MS-CHAPv2. Although I can find basic explanations of the protocol, I can’t seem to locate an exact specification for it. However, it sounds like it’s basically just MS-CHAPv2 wrapped in EAP (and maybe adding TLS protection, which we already require for our MS-CHAPv2 support), and if that’s the case, then you wouldn’t be able to use it with an already-hashed password unless that already-hashed password was hashed with MD4, which really isn’t any better than not hashing it at all.

UnboundID PaulRaposo
UnboundID
0 Kudos

Re: Enabling MS CHAP V2 in PingDirectory

Thank you, Neil!