Security

Reply
Contributor I

EAP-PWD: "failed to find password" ClearPass 6.5

After upgrade to ClearPass 6.5 we are interested in method EAP-PWD.

We have tested this method with Freeradisus 3.0 without problems.

 

May be there are a problem in ClearPass 6.5 with the format (NThash, PasswordHashHash) of the password atrribute?

 

Any suggestions to solve the problem?

 

Thanks in advance,

Toni Pérez

 

-------------------------------------------------------------------------

 

Our Problem:
-------------------------------------------------------------------------

We have tested local users and LDAP users with the same problem in Access Tracker:

 

  • EAP-PWD: User-Password not available
    EAP-PWD: Cannot retrieve User Password

Analyzing logs in debug mode for a local user:

  • DEBUG RadiusServer.Radius - rlm_sql (auth_local_db): User toniperez found
    INFO RadiusServer.Radius - rlm_sql: found user toniperez in Local:localhost
    DEBUG RadiusServer.Radius - rlm_eap: processing type pwd instance EAP PWD]
    DEBUG RadiusServer.Radius - The request contains following persistent config items
    DEBUG RadiusServer.Radius - Crypt-Password = <REMOVED>
    DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
    DEBUG RadiusServer.Radius - Persisted-User-Name = "toniperez"
    DEBUG RadiusServer.Radius - Authentication-Source = "Local:localhost"
    DEBUG RadiusServer.Radius - rlm_eap_pwd: eap_pwd_authenticate peer id - toniperez
    DEBUG RadiusServer.Radius - rlm_eap_pwd: request user name toniperez, peer id toniperez
    DEBUG RadiusServer.Radius - Crypt-Password = <REMOVED>
    DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
    DEBUG RadiusServer.Radius - Persisted-User-Name = "toniperez"
    DEBUG RadiusServer.Radius - Authentication-Source = "Local:localhost"
    DEBUG RadiusServer.Radius - Authentication-Source-Name = "Local User Repository]"
    DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
    ERROR RadiusServer.Radius - failed to find password for toniperez to do pwd authentication

Analyzing logs in debug mode for an LDAP user with NT-Hash attribute:

  • DEBUG RadiusServer.Radius - rlm_ldap: Retrieved NT-Password
    INFO RadiusServer.Radius - rlm_ldap: found user abc123 in Ldap:ldap.domain.com
    DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
    DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
    DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
    ERROR RadiusServer.Radius - failed to find password for abc123 to do pwd authentication

 

Aruba Employee

Re: EAP-PWD: "failed to find password" ClearPass 6.5

Hi Toni,

 

  I'm glad you're interested in EAP-pwd. Sorry you're running into a problem. If it's the same client interoperating with FreeRADIUS fine and not interoperating with ClearPass that seems to point to ClearPass.

 

  Is it possible for you to try using a plaintext password? If that works with ClearPass it will narrow down the issue. 

 

  thanks and regards,

 

  Dan.

 

Contributor I

Re: EAP-PWD: "failed to find password" ClearPass 6.5

Hi Dan,

 

I don't know how to create a local user in ClearPass with Clear-Text-Password attribute in DB (like i do in users file in Freeradius).

I will try with a new LDAP attribute with Clear-Text-Password instead of NT-Hash attribute. I will inform you if it works tomorrow.

 

In my LDAP server all users passwords are in NT-Hash=MD4(Clear-Text-Password) for PEAP-MsCHAPv2 support.

I can understand from https://tools.ietf.org/html/draft-harkins-emu-eap-pwd-14#section-2.7.2 that supported  password for EAP-PWD are:

  • Clear-Text
  • PasswordHashHash= MD4(MD4(Clear-Text-Password))= MD4(NT-Hash)

 

Best regards,

Toni Pérez

Contributor I

Re: EAP-PWD: "failed to find password" ClearPass 6.5

Hi,

 

I have modified in our LDAP the attribute of password with ClearText value and modify Authentication-Source-LDAP password type to ClearText and works fine.

 

  • LDAP Cleartext attribute:
    DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
    DEBUG RadiusServer.Radius - User-Password = <REMOVED>
    DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
    INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
  • LDAP NT-Hash attribute:
    DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
    DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
    DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
    ERROR RadiusServer.Radius - failed to find password for abc123 to do pwd authentication
    DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 153071

Regards,

Toni Pérez

Aruba Employee

Re: EAP-PWD: "failed to find password" ClearPass 6.5

 

  Hi Toni,

 

  Thanks for the info. Looks like we've been able to reproduce this ourselves.

We will have an update shortly for you on a release in which this will be fixed.

 

  Thanks for your patience,

 

  Dan.

 

Contributor I

Re: EAP-PWD: "failed to find password" ClearPass 6.5

Hi,

 

We have upgraded to ClearPass 6.5.1 with the same issue.

EAP-PWD only find password in our LDAP with Password Type in Clear-Text.

Local User and LDAP with Password Type NT-Hash results with a User-Password not available.

 

ClearPass authentication error:

       EAP-PWD: User-Password not available
       EAP-PWD: Cannot retrieve User Password

 

Can you reproduce this issue with a Local User?

 

Regards,

Toni Pérez

Contributor I

Re: EAP-PWD: "failed to find password" ClearPass 6.5

 

We have finally closed the case with Bug id #29771:

 

The EAP-PWD supplicant and CPPM both do not support EAP-PWD authentication with passwords in NT-Hash format even though RFC supports this. We may support this sometime in future.

 

In 6.5.1, user passwords are only stored in non-reversible hash format in [Local User Repository].

Because of this EAP-PWD authentication will fail. In 6.5.2, an option has been added to store

passwords in reversible hash format also. With this change, EAP-PWD authentication will work

against [Local User Repository].

 

Contributor I

Re: EAP-PWD: "failed to find password" ClearPass 6.5

Hi,

Any news with NThash support for eap-pwd in ClearPass?

There are roadmap to add salted password databases to eap-pwd to clearpass?
https://tools.ietf.org/html/draft-harkins-salted-eap-pwd-08

Support of salted eap-pwd for eduroamCAT supplicant?

Best regards,
Toni Pérez
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: