Blogs

it seems support has been pushed back to 6.5. kinda funny to see this announced in 2012 and it taking to 2015 to get in the actual aruba software.

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/EAP-PWD-support-on-Aruba-Clearpass/td-p/220233

Hi Dan,

Has EAP-PWD been integrated in clearpass6.4 OS. if yes, where i can find the deployment or some detailed information on how to implement this in existing environment.

regards,

Kapil

  Hi Tony,

  EAP-pwd will be supported in ClearPass 6.4 with a scheduled FCS in mid-November.

If you'd like to start using it you can continue to use FreeRadius as that has EAP-pwd

support in it. 

  Aruba has an EAP plug-in that provides EAP-pwd support for the Windows supplicant,

see the mention above in my 8-15-2013 post. Unfortuately there is no support for mac

or iOS at this time but there is for Android. 

  regards,

  Dan.

Hi,

Currently we authenticates users with EPA-PEAP and EAP-TTLS (Cisco Controllers and freeradius).
With the recent adquisisión of Aruba controllers 7220 and ClearPass we want to migrate authentication only with EAP-PWD.
Our idea is to use our LDAP and ClearPass Cluster as radius proxy.
Is supported EAP-PWD in ClearPass?
Is there supplicants available for windows, mac, iOS?

Regards

Hi George,

It doesn't require a certificate on the backend. RADIUS is probably necessary, although strictly speaking EAP-pwd could be terminated on a controller without the need for a RADIUS server. A differentiator here is that there's no need for a certificate, and no need for a PKI. There's no security (or scaling) issues associated with self-signed certificates either. Currently, there Is EAP-pwd support in FreeRADIUS and hostapd so it's straightforward to roll this out.

EAP-pwd is a normal EAP method that can be used in pass-thru mode on any AP/controller and the resulting authenticated and shared secret (the PMK) can be cached and used to facilitate fast roaming using either opportunistic key caching or 802.11r. There is no latency penalty for roaming. 

I'm not sure why you imagine using a shared username and password. EAP-pwd can certainly be used that way but then you lose the ability to do true user authentication. The problem with doing PEAP and username/password is that it requires the server to have a certificate from a trusted CA. With EAP-pwd you get strong authentication, resistance to dictionary attack, and no PKI/certificates needed. And, as mentioned above, with EAP-pwd you can use shorter and weaker passwords and still get strong authenticaiton due to its resistance to dictionary attack. The security of the protocol doesn't break down if it gets used with weak passwords!

Aruba has an EAP-pwd plug-in for Windows. And this is a true EAP plug in too. It continues to use the Windows supplicant but just adds another EAP method. This is unlike some of our competitors that completely blow away the windows supplicant and forces you to use theirs (good luck uninstalling that software too!). 

Strong, robust, and misuse-resistant cryptography, brought to you by Aruba Networks :-)

I saw a native Android client for EAP-PWD and wondered what it was and I tracked it down to here.  Is there a way to get this working in Microsoft Windows client?  Would be nice to have a simple PSK alternative that authenticates within a secure tunnel.

I'm assuming this still requires a RADIUS certificate on the backend?

I'm the author of this guide for enterprise wireless security.
http://www.zdnet.com/blog/ou/ultimate-guide-to-enterprise-wireless-lan-security-released/404

It's been a while since I've seen a new EAP type that's worth mentioning, but this may be a good new edition.  The last time I found something new and interesting was Ruckus' implementation of dynamic PSK which issued a PSK per device without the need for a RADIUS or certificate backend.  That solves the problem of a compromised client device divulging a shared secret and being forced to reconfigure every other device using that shared key.  The lack of a RADIUS and certificate backend simplified remote implementations (think 1000 chain stores) because it eliminated latency.  There's also a heavy latency penalty for roaming between APs which makes it bad for VoIP devices.

But EAP-PWD solves the hackability problem.  One issue I see with EAP-PWD is that if you're going to go with a RADIUS and 802.1x backend, you could just use PEAP with a shared username and password.  The down side is that it requires an extra field for the user to enter, but at least it has native universal support on the client side.

Maybe the two solutions could be merged into a unified standard.

Great question! 

That subject was broached to Wi-Fi a while ago and the vote failed. Hotspot 2.0 defines EAP-TLS for

certificate-based authentication, EAP-AKA and EAP-SIM for SIM-based authentication, and TTLS for

"Username/Password (with server-side certificate"). What we were proposing was to add another

option for "Username/Password (without server-side certificate)". As I said, the vote failed. This was

back in 2010.

I do plan on re-introducing the idea. Much has happened since the initial try. EAP-pwd is in the

base of Android 4.0 (ICS), it is in FreeRADIUS, it is in hostapd and wpa_supplicant. There is ample

code out there now that wasn't there in 2010.

Stay tuned!

You mention using EAP-pwd as a WPA2-PSK and WPA2-Enterprise enhancement/replacement.  Do you plan to propose EAP-pwd for future inclusion in the WFA's Hotspot 2.0 specification?  Assuming it's secure, this would appear to be a nice alternative to EAP-TTLS with server certs.