By: Timur Umarov user 09 Jul 2020 at 2:24 p.m. CDT

5 Responses
Timur Umarov gravatar
I'm trying to setup 2fa for my microsoft servers. MS NPS sends Access-Request to Gluu radius, but Gluu doesn't respond. Maybe its impossible? Or I should to make any advanced settings? Radius log: ``` [INFO ] 2020-07-09 18:51:33.959 [Radius Auth Listener] GluuRadiusServer - Client ip: 10.1.1.1 [ERROR] 2020-07-09 18:51:33.960 [Radius Auth Listener] RadiusServer - malformed Radius packet org.tinyradius.util.RadiusException: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing at org.tinyradius.packet.AccessRequest.decodeRequestAttributes(AccessRequest.java:160) ~[tinyradius-1.0.jar:?] at org.tinyradius.packet.RadiusPacket.decodePacket(RadiusPacket.java:889) ~[tinyradius-1.0.jar:?] at org.tinyradius.packet.RadiusPacket.decodeRequestPacket(RadiusPacket.java:538) ~[tinyradius-1.0.jar:?] at org.tinyradius.util.RadiusServer.makeRadiusPacket(RadiusServer.java:459) ~[tinyradius-1.0.jar:?] at org.tinyradius.util.RadiusServer.listen(RadiusServer.java:328) [tinyradius-1.0.jar:?] at org.tinyradius.util.RadiusServer.listenAuth(RadiusServer.java:277) [tinyradius-1.0.jar:?] at org.tinyradius.util.RadiusServer$1.run(RadiusServer.java:103) [tinyradius-1.0.jar:?] ``` and tcpdump output: ``` nps.53733 > gluu.radius: [udp sum ok] RADIUS, length: 95 Access-Request (1), id: 0x01, Authenticator: d54d8933529cb0a5483fadeffs20c1ca Service-Type Attribute (6), length: 6, Value: #12 0x0000: 0000 000c User-Name Attribute (1), length: 12, Value: DOMAIN\user 0x0000: 5041 434b 5c74 696d 7572 Called-Station-Id Attribute (30), length: 17, Value: UserAuthType:PW 0x0000: 5573 6572 4175 7468 5479 7065 3a50 57 Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 50, Length: 4, Value: userpc 0x0000: 0000 0137 3206 6163 6572 Vendor-Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 47, Length: 4, Value: .... 0x0000: 0000 0137 2f06 0000 0001 NAS-Port-Type Attribute (61), length: 6, Value: Virtual 0x0000: 0000 0005 Proxy-State Attribute (33), length: 10, Value: .. 0x0000: 0a03 001b 0000 0029 ``` Thanks for any advice!

By Dzouato Djeumen Rolain Bonaventure staff 09 Jul 2020 at 3:41 p.m. CDT

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Timur, From what I see , MS NPS isn't sending the user's password. I don't exactly know what that means , but it should mean something. I am not an expoert on MS NPS though , so my scope of knowledge about it and it's configuration is pretty limited. Can you check why it's not sending the password ? Please keep me posted about this as this is an edge case and an interesting one. Best Regards, Rolain

By Alexandre Zia user 11 Jul 2020 at 8:49 a.m. CDT

Alexandre Zia gravatar
Seems like you are using MSCHAP, which doesn't send user password on the wire, it uses challenge response scheme. You must use PAP, although it's insecure it's the only way to pass the user's password to radius, and Gluu requires the password in order to authenticate into the OP.

By Timur Umarov user 11 Jul 2020 at 2:43 p.m. CDT

Timur Umarov gravatar
Thanks all for answers. Alexandre, I think you are right. But I'm tried to looking for any settings in MS NPS to change MSCHAP to CHAP or PAP and I didn't found it. I want to setup MS RD Gateway with 2fa using Gluu.... Maybe I can replace gluu radius to other radius-server who can work with MSCHAP?

By Alexandre Zia user 11 Jul 2020 at 4:47 p.m. CDT

Alexandre Zia gravatar
No you can't, it's a protocol issue, not a radius server feature. MSCHAP will never send user password, you can check this here: https://tools.ietf.org/html/rfc2759 And Gluu resource owner password credentials flow requires user/password You'll have to use PAP and set a strong secret, I also recommend setting an encrypted tunnel between your appliance and gluu server in order to protect users passwords.

By Dzouato Djeumen Rolain Bonaventure staff 21 Jul 2020 at 7:24 a.m. CDT

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Timur, I'll close this ticket for now. Feel free to re-open it if you have any further inquiries.