12-08-2014 09:21 PM
Does new Aruba 6.4.1 OS support EAP-PWD authentication. If yes, can we use it instead of EAP-TLS certificate based authentication. We want to replace the existing certificate based wireless authentication for simplification and found EAP-PWD as replacement but don't see much articals on deployment and integration with Aruba 7220 controllers and clearpass policy manager.
Solved! Go to Solution.
12-08-2014 09:37 PM
did not get you properly. Does new OS support EAP-PWD or not. We are not interested in EAP-MD5 as a replacement of existing EAP-TLS. I am keen to understand EAP-PWD thing and possibility of deployment in my Aruba wireless infrastructure.
12-08-2014 09:52 PM - edited 12-08-2014 09:54 PM
For what its worth we will support EAP-PWD in the next CPPM release (6.5).... it will go into Public beta in Jan 2015 with FCS planned for end of Feb 2015.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
12-21-2014 12:36 PM
EAP-MD5 is not even close. It uses a hash function that has been
depricated, it can easily be cracked with an off-line dictionary attack,
and it does not generate keys.
EAP-pwd provides resistance to active attack, passive attack, and
ditionary attack. It uses modern cryptography (strong hash functions
and elliptic curves). And it generates strong, mutually authenticated
Dan (the author of EAP-pwd, RFC 5931).
12-21-2014 12:40 PM
12-28-2015 08:43 PM
Can someone confirmed if EAP-PWD is now supported on Aruba platform. if yes, then how is the feedback and can this be effectively used to replace certificate based authentication.
01-10-2016 03:02 AM
it is supported and working on ClearPass. haven't checked Controller and / or Instant. but that is only relevant if you use termination.
see here for some information on how to setup:
as for it being a alternative for certificates im not sure what your considerations are. personally i see it more as a safer alternative to wpa(2)-psk networks. but this will strongly depend on the the clientside implementation. i see android supports it and linux wpa but see little about MacOS and Windows.
01-10-2016 04:05 AM
The short answer is NO, it does not work fully and should not be used to replace anything. NT hash is how AD passwords are encrypted and that is not supported:
"The EAP-PWD supplicant and CPPM both do not support EAP-PWD authentication with passwords in NT-Hash format even though RFC supports this. We may support this sometime in future.
In 6.5.1, user passwords are only stored in non-reversible hash format in [Local User Repository].
Because of this EAP-PWD authentication will fail. In 6.5.2, an option has been added to store
passwords in reversible hash format also. With this change, EAP-PWD authentication will work
against [Local User Repository]."
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base