Create IKEv2 connection with EAP-MSCHAPv2 and LogOn property

Jan 25, 2011 at 6:37 AM

Hi,

I have nearly finished writing a c# console application that will create an entry in the phone book for all users.

I have been able to set the name, address, strategy, device and remote gateway settings but I can't seem to be able to specify the 'Authentication' settings.

We use EAP-MSCHAP v2 and need to be able to have the 'Automatically use my Windows logon name and password (and domain if any).' box ticked.

This box can be found under Security -> Authentication (Use EAP: EAP-MSCHAPv2) -> Properties.

I found the RasEntry.Options.UseLogOnCredentials property but this is not relevant as we are using an EAP profile for Authentication.

I found the RasEapOptions.LogOn property as well - but how am I to create a RasEapOptions object and 'attach' this to the RasEntry object?

I have been searching through the SDK and other Discussions but have been unable to find a solution to this specific problem.

If someone could throw me some code that would be greatly appreciated.

 

Michael

Coordinator
Jan 25, 2011 at 6:51 PM

Well, RasEapOptions is actually used by the RasDialer during the dialing process to set flags that the dialer uses and doesn't relate directly to the entry. Depending on whether you're trying to use certificates or a pre-shared key determines what you need to call. There hasn't been much interest in EAP within the project thus far, which explains the lack of threads on the subject.

using (RasPhoneBook pbk = new RasPhoneBook())
{
    pbk.Open();

    RasEntry entry = new RasEntry("VPN Connection");
    pbk.Entries.Add(entry);

    pbk.UpdateCredentials(RasPreSharedKey.Client, "blah");
}

In order to actually update the pre-shared key used by the client you'd need to use the WINXP build type (Windows 2000 doesn't support pre-shared keys) and add the entry to the phone book before trying to update the credentials. This is just a Windows restriction, the project doesn't store credentials in memory, and Windows requires the entry to be in a phone book before writing credentials to it.

If you want to use certificates there are some known problems with some client/server configurations. Occasionally certificates can't be found, not really sure why. As for actually setting the certificate data you can use the SetEapUserData method on the class to set the certificate data. However, you have to know the inner workings of the EAP DLL you're using, which there is no documentation for the structure of the data in memory. There are flags you can set that choose your certificate needed by the connection automatically, however with security configurations you're best following the advice I give most everyone when building entries:

The best way I've found over the years to build a connection when you don't know which flags to set is to build the connection using the Windows interface, verify the connection works correctly, and open it in a RasPhoneBook and inspect the settings that Windows has chosen.

Hope that helps.

Jan 25, 2011 at 10:56 PM
Thanks for the advice Jeff.

I ended up creating the connection with as many settings that I could generate using RasEntry, then backing up the generated pbk file, then making the changes in windows, then running a compare to see what changes.

It turns out that there were a couple of changes, but in the end I was able to just write a good old batch script to xcopy the new pbk file to all the clients (with some checks to see if the pbk is already there etc)

I'll find that part of the pbk file that was changed and post it when I get back to my computer and see of there is an option in DotRas after all.

Also since this is an IKEv2 VPN, there are no preshared keys. The domain computers already have the root certificate from the server and we just use EAP-MSCHAPv2 to pass through the user's current credentials.


Regards,

Michael

On 26/01/2011, at 5:51 AM, "jeff_winn" <notifications@codeplex.com> wrote:

From: jeff_winn

Well, RasEapOptions is actually used by the RasDialer during the dialing process to set flags that the dialer uses and doesn't relate directly to the entry. Depending on whether you're trying to use certificates or a pre-shared key determines what you need to call. There hasn't been much interest in EAP within the project thus far, which explains the lack of threads on the subject.

using (RasPhoneBook pbk = new RasPhoneBook())
{
    pbk.Open();

    RasEntry entry = new RasEntry("VPN Connection");
    pbk.Entries.Add(entry);

    pbk.UpdateCredentials(RasPreSharedKey.Client, "blah");
}

In order to actually update the pre-shared key used by the client you'd need to use the WINXP build type (Windows 2000 doesn't support pre-shared keys) and add the entry to the phone book before trying to update the credentials. This is just a Windows restriction, the project doesn't store credentials in memory, and Windows requires the entry to be in a phone book before writing credentials to it.

If you want to use certificates there are some known problems with some client/server configurations. Occasionally certificates can't be found, not really sure why. As for actually setting the certificate data you can use the SetEapUserData method on the class to set the certificate data. However, you have to know the inner workings of the EAP DLL you're using, which there is no documentation for the structure of the data in memory. There are flags you can set that choose your certificate needed by the connection automatically, however with security configurations you're best following the advice I give most everyone when building entries:

The best way I've found over the years to build a connection when you don't know which flags to set is to build the connection using the Windows interface, verify the connection works correctly, and open it in a RasPhoneBook and inspect the settings that Windows has chosen.

Hope that helps.