Security

Reply
Contributor I

EAP-PEAP/MsCHAPv2 External SQL hashed password

Hi folks,

 

We would like to use EAP-PEAP/MsCHAPv2 authentication on our wireless networks and implement a CPPM server. We have a legacy external postgesql, but the user's passwords stored only with SHA256 hash in it. I made a query but I get a REJECT message with user not found description. But if I add a new user with plain text password the authentication works well. Can anyone help for me, how can I resolve this ?

Table structure:
userid | username | password | ssid | created | modified

 

Filter query: SELECT password AS User_Password, ssid AS SSID FROM Users WHERE username = '%{Authentication:Username}' AND ssid = LOWER('%{Radius:Aruba:Aruba-Essid-Name}');

 

 

Thanks,
Balazs
Guru Elite

Re: EAP-PEAP/MsCHAPv2 External SQL hashed password

The protocol does not allow this. You should look at EAP-TLS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP-PEAP/MsCHAPv2 External SQL hashed password

Hi Tim,

 

Thanks for your quick answer. Can you explain  a llittle bit deeper, I don't understand why.

 

Thanks,
Balazs

Re: EAP-PEAP/MsCHAPv2 External SQL hashed password

In order to perform MSCHAPv2 authentication, you will need to have access to the NT-Hash of the password, which is a specific hash type.

 

So you need either the NT-Hash of the password in your database and give ClearPass access to it, or have the unencrypted version of the password available so ClearPass can calculate the password.

 

Please note that MSCHAPv2 is considered 'cracked' and no longer secure and should not be used unless you have full control over the client, like in an AD environment.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Guru Elite

Re: EAP-PEAP/MsCHAPv2 External SQL hashed password

tl;dr, stop using PEAP ☺

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP-PEAP/MsCHAPv2 External SQL hashed password

Thanks guys! It is clear for me now.

 

 

Thanks,
Balazs
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: