Security

Does new Aruba 6.4.1 OS support EAP-PWD authentication. If yes, can we use it instead of EAP-TLS certificate based authentication. We want to replace the existing certificate based wireless authentication for simplification and found EAP-PWD as replacement but don't see much articals on deployment and integration with Aruba 7220 controllers and clearpass policy manager.

Hi Tim,

did not get you properly. Does new OS support EAP-PWD or not. We are not interested in EAP-MD5 as a replacement of existing EAP-TLS. I am keen to understand EAP-PWD thing and possibility of deployment in my Aruba wireless infrastructure.

Regards,
Kapil

For what its worth we will support EAP-PWD in the next CPPM release (6.5).... it will go into Public beta in Jan 2015 with FCS planned for end of Feb 2015.

Tim,

  EAP-MD5 is not even close. It uses a hash function that has been

depricated, it can easily be cracked with an off-line dictionary attack,

and it does not generate keys.

  EAP-pwd provides resistance to active attack, passive attack, and

ditionary attack. It uses modern cryptography (strong hash functions

and elliptic curves). And it generates strong, mutually authenticated

keys.

  regards,

  Dan (the author of EAP-pwd, RFC 5931).

Can someone confirmed if EAP-PWD is now supported on Aruba platform. if yes, then how is the feedback and can this be effectively used to replace certificate based authentication.

it is supported and working on ClearPass. haven't checked Controller and / or Instant. but that is only relevant if you use termination.

see here for some information on how to setup:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/EAP-PWD-quot-failed-to-find-password-quot-ClearPass-6-5/td-p/229219

as for it being a alternative for certificates im not sure what your considerations are. personally i see it more as a safer alternative to wpa(2)-psk networks. but this will strongly depend on the the clientside implementation. i see android supports it and linux wpa but see little about MacOS and Windows.

The short answer is NO, it does not work fully and should not be used to replace anything.  NT hash is how AD passwords are encrypted and that is not supported:

"The EAP-PWD supplicant and CPPM both do not support EAP-PWD authentication with passwords in NT-Hash format even though RFC supports this. We may support this sometime in future.

In 6.5.1, user passwords are only stored in non-reversible hash format in [Local User Repository].

Because of this EAP-PWD authentication will fail. In 6.5.2, an option has been added to store

passwords in reversible hash format also. With this change, EAP-PWD authentication will work

against [Local User Repository]."