New Contributor

EAP-PWD support on Aruba Clearpass

Does new Aruba 6.4.1 OS support EAP-PWD authentication. If yes, can we use it instead of EAP-TLS certificate based authentication. We want to replace the existing certificate based wireless authentication for simplification and found EAP-PWD as replacement but don't see much articals on deployment and integration with Aruba 7220 controllers and clearpass policy manager.

Guru Elite

Re: EAP-PWD support on Aruba Clearpass

The closest support would be EAP-MD5

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: EAP-PWD support on Aruba Clearpass

Hi Tim,


did not get you properly. Does new OS support EAP-PWD or not. We are not interested in EAP-MD5 as a replacement of existing EAP-TLS. I am keen to understand EAP-PWD thing and possibility of deployment in my Aruba wireless infrastructure.




Re: EAP-PWD support on Aruba Clearpass

For what its worth we will support EAP-PWD in the next CPPM release (6.5).... it will go into Public beta in Jan 2015 with FCS planned for end of Feb 2015.



Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba Employee

Re: EAP-PWD support on Aruba Clearpass



  EAP-MD5 is not even close. It uses a hash function that has been

depricated, it can easily be cracked with an off-line dictionary attack,

and it does not generate keys.


  EAP-pwd provides resistance to active attack, passive attack, and

ditionary attack. It uses modern cryptography (strong hash functions

and elliptic curves). And it generates strong, mutually authenticated





  Dan (the author of EAP-pwd, RFC 5931).


Guru Elite

Re: EAP-PWD support on Aruba Clearpass

I was referring to the closest current implementation in ClearPass in terms of user interaction.


Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: EAP-PWD support on Aruba Clearpass

Can someone confirmed if EAP-PWD is now supported on Aruba platform. if yes, then how is the feedback and can this be effectively used to replace certificate based authentication.

Trusted Contributor I

Re: EAP-PWD support on Aruba Clearpass

it is supported and working on ClearPass. haven't checked Controller and / or Instant. but that is only relevant if you use termination.


see here for some information on how to setup:


as for it being a alternative for certificates im not sure what your considerations are. personally i see it more as a safer alternative to wpa(2)-psk networks. but this will strongly depend on the the clientside implementation. i see android supports it and linux wpa but see little about MacOS and Windows.

Guru Elite

Re: EAP-PWD support on Aruba Clearpass

The short answer is NO, it does not work fully and should not be used to replace anything.  NT hash is how AD passwords are encrypted and that is not supported:


"The EAP-PWD supplicant and CPPM both do not support EAP-PWD authentication with passwords in NT-Hash format even though RFC supports this. We may support this sometime in future.


In 6.5.1, user passwords are only stored in non-reversible hash format in [Local User Repository].

Because of this EAP-PWD authentication will fail. In 6.5.2, an option has been added to store

passwords in reversible hash format also. With this change, EAP-PWD authentication will work

against [Local User Repository]."

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: