AAA, NAC, Guest Access & BYOD

Can we do 802.1x Authentication with EAP-PEAP MSChapV2 on CPPM querying against a SQL database instead of AD

Aruba Employee

We can authenticate with EAP-PEAP + MSCHAPv2 as long as passwords are stored in clear-text in SQL database.
 
MSCHAPv2 is a Challenge Response protocol. To authenticate the client, CPPM sends a Challenge. 
The supplicant on the client calculates Response from Challenge sent by CPPM and password entered
by user. Password is not sent over wire.
 
If the authentication source is SQL database or LDAP database, CPPM also calculates Response and
compares it with the Response sent by client. In order to calculate Response, CPPM needs clear-text
password.  If the authentication source is LDAP, the password can also be in NT Hash or LM Hash format.
 
If the authentication source is AD, CPPM forwards Challenge and client Response to AD for verification.

Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 01:36 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: