Security

Reply
Contributor I

Captive Portal uses PAP instead of PEAP for Radius?

Hello - 

I am working on configuring a captive portal setup for our network. 

I find that when I assign the Radius servers as the authentication method for the captive portal authentication keeps failing. Looking at my Radius logs, I find this:

------------

Authentication Details:
Proxy Policy Name: Use Windows authentication for all users
Network Policy Name: FacStaff Dot1x Wireless (Offices Net)
Authentication Provider: Windows
Authentication Server: sturgeon.evergreen.edu
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

------------

 

However, I can log in just fine to the management web ui, using the exact same AAA profiles / servers. When I review the logs for my login on the management ui, it shows this:

 

-----------
Authentication Details:
Proxy Policy Name: Use Windows authentication for all users
Network Policy Name: FacStaff Dot1x Wireless (Offices Net)
Authentication Provider: Windows
Authentication Server: sturgeon.evergreen.edu
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -

-----------

 

Is this by design? Or am I missing something? I understand that normally PEAP would be used to encapsulate the request and pass it through to the radius server, but if the Web UI is able to that, why can't the captive portal? Or perhaps the question is why *won't* the captive portal? 

Frequent Contributor I

Re: Captive Portal uses PAP instead of PEAP for Radius?

For Captive Portal, Aruba Controller will use PAP authenticatoin by default.

I also had similar problem like yours, and I resolve it by changing the Network Policy Setting to allow PAP (i'm test it using Microsft NPS)

 

Contributor I

Re: Captive Portal uses PAP instead of PEAP for Radius?

Yes, I understand that I could set it to PAP, but I was hoping that because the Web UI works with PEAP, then maybe the captive portal would as well, but perhaps that's just not the way they were set up. Maybe the captive portal runs on its own separate web server? Functionally, they are doing the same thing. I have a username, and a password, Mr. Radius Server, what shall I tell this client?

Aruba

Re: Captive Portal uses PAP instead of PEAP for Radius?

I am not sure how you are seeing PEAP authentication for management attempts.     Are you sure the event you are seeing is not from a wireless logon?   

 

Both Captive Portal and Controller Management authentication use PAP by default; however can be configured to use MSCHAP.    When defining the management authentication server, you can set MSCHAPv2 rather than PAP, but you cannot set PEAP.  You can do the same for Captive Portal in the captive portal profile.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I

Re: Captive Portal uses PAP instead of PEAP for Radius?

On WebUI, did you notice which auth you select when doing AAA testing?

There are 2 options available, using MSCHAP2 or PAP. 

 

But unfortunatelly in CP, you are tied with CHAP or PAP options only (default is PAP)

 

Maybe Aruba Dev Team will add it if you ask them in IDEAS section.

 

Regards

-S-

 

 

Guru Elite

Re: Captive Portal uses PAP instead of PEAP for Radius?

I am sure you understand by now, but please see here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-575



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Captive Portal uses PAP instead of PEAP for Radius?

Yes, I have set up separate Radius servers in the policies, so that's not the issue.

I guess the answer is just "That's the way is it, sorry."

 

As for whether I know if it's from a wireless client via 802.1x or if it's from me logging in to the management UI, I have a special privileged account used for managing devices, and do not log in to the wireless network with that account so it's pretty simple to tell them apart in the RADIUS logs.

Frequent Contributor I

Re: Captive Portal - PAP x MSCHAP2

The manual of ArubaOS commands says about  "use-chap" option --> "Use CHAP protocol. You should not use this option
unless instructed to do so by an Aruba representative."

 

Why not use MSCHAP2 protocol to authenticate captive portal users? PAP is more insecure, it's not?

 

And the problem reported in this KB https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-575 is valid for MS Win 2008?

Guru Elite

Re: Captive Portal - PAP x MSCHAP2

That "use-chap" option is a nonstandard version of Chap.  Please see tthe whole answer to your question here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1050

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Captive Portal - PAP x MSCHAP2

Thank you Colin.

 

But, is the communication between wireless controller and Radius server in clear text?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: