Security

Reply
Contributor II
Posts: 39
Registered: ‎07-28-2014

Wireless 802.1x EAP-PEAP with Novell eDirectory

I'm trying to set up simple EAP-PEAP 802.1x authentication against a Novell eDirectory LDAP authentication source.  The connection settings seem to be correct (at least I am able to bind and browse the directory under "search base dn").  I think I'm missing something in the attributes but I can't find any examples specific to eDirectory.

 

Authentication attempts fail, with the following in the Access Tracker logs:

 

ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.

 

ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

Has anyone out there successfully set up eDirectory as an authentication source?  

 

 

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

You would need to use EAP-TTLS or EAP-GTC.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 39
Registered: ‎07-28-2014

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

Ok... any pointers beyond that?  Configuration examples?  Documentation?  

 

I've chosen both EAP-TTLS and EAP-GTC as authentication methods in the service and it's still failing:

 

Auth-Type not set or authentication methods have not been configured. Rejecting it.

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

Are your clients configured for those protocols? Most clients require either a configuration profile or a different supplicant.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 39
Registered: ‎07-28-2014

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

I'm using the built-in Microsoft EAP-TTLS settings (see attached)

 

Capture.PNG

MVP
Posts: 511
Registered: ‎11-04-2011

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

You should be able to do EAP-PEAP with MSCHAPv2 against eDirectory, if you can modify the settings on eDirectory.

 

Having said that, be advised that MSCHAPv2 has been cracked and should be avoided unless you have full control over your clients and can enforce server certificate validation.

 

User authentication using PEAP-MSCHAPv2 against Novell eDirectory has the following requirements:

  • Passwords must be stored in cleartext in the directory
  • The Universal Password attribute must be turned on in the directory
  • Create a Password Policy in eDirectory. This password policy should have the following option enabled. Also this password policy should be assigned to all users who are going to be authenticated.
 "Universal Password --> Configuration --> Allow Admin to retrieve password".
 

 

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Contributor II
Posts: 39
Registered: ‎07-28-2014

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

I got this working thanks to TAC.  I'll summarize it here for future reference:

All of the prerequisite settings were done in eDirectory:

  • Passwords must be stored in cleartext in the directory
  • The Universal Password attribute must be turned on in the directory
  • Create a Password Policy in eDirectory. This password policy should have the following option enabled. Also this password policy should be assigned to all users who are going to be authenticated.
  •  "Universal Password --> Configuration --> Allow Admin to retrieve password".

I also imported the certificate chain from eDirectory into the Trust List in Clearpass.

And also enabled LDAP over SSL (port 636)

 

Finally, what got it working was:

In the authentication source settings, under the Primary tab, the password attribute should be named as "nspmPassword" instead of “userPassword”.

screen.jpg

 

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Wireless 802.1x EAP-PEAP with Novell eDirectory

Be sure to review the security ramifications of Universal Password with your
security team. That's the only reason I recommended EAP-TTLS or EAP-GTC.



Glad you're up and running though!

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: