Wireless Access

Hi there,

I've read several discussions and receipes here, but didn't found any exact answer: is there any way to configure CP to use external source (SQL or LDAP), with password hashing? The configured auth metod is "EAP-PEAP,EAP-MSCHAPv2".

(The external SQL source with the PGsql had been configured and it works as well, but the passwords are storing as plaintext.)

Thanks,

a.

ps: here is a post, where I found that the LDAP source can use NTLM:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Can-we-do-802-1x-Authentication-with-EAP-PEAP-MSChapV2-on-CPPM/ta-p/184336
But if the LDAP can, PGSql why can't?

Have you tested with NT Hash in a database and MSCHAPv2? According to the configuration, I would assume that it could work:

I have not tested it. Most LDAP servers don't carry or expose the NT Hash, so you will need to check there as well.

In case it does not work, I don't see a technical reason for it either. It might be that just nobody asked for it.

Hi Herman,

"Have you tested with NT Hash in a database and MSCHAPv2?"

Sure, but it didn't worked.

I've tried to modify the SQL:

SELECT password AS User_Password, password_hash AS Password_Hash, ssid AS SSID FROM Users WHERE username = '%{Authentication:Username}' AND ssid = LOWER('%{Radius:Aruba:Aruba-Essid-Name}');

and of course, the password_hash field stored the NTHash form of password. Still doesn't work.

With clearpass form the auth works as well. Also tried with this:

SELECT password AS User_Password, ....

where password field stored the NTHash form of passwd, but also didn't worked for me.

I'm totally confused, and don't know, what can we do now... :(

Thanks for your help,

a.

Best is to open a TAC case. The TAC Engineer should be able to have a look together with you and find out if it is possible.

Hi Herman,

thanks for your tip, I'll try it.

a.

Why do you have an SSID query in there? Can you remove it and it test again?

Hi Tim,

thanks for the answer - as I remember, I've checked it without SSID.

What do I need to place to query? The simple "User_Password" or "Password_Hash"?

"Why do you have an SSID query in there?"

Because we need to filter the different users (which may have same username, eg. "jsmith") on different networks. The SSID identifies the network.

Thanks,

a.

Well, thanks all of your help guys. Looks like I misunderstood something, or there were an ugly typo, or something else... but now it works, both LDAP and (PG)SQL.

I've found a website where I've generated the NT hashes, may be that gave me wrong hashes... don't know, but nevermind. It works.

Thanks again, and sorry dor the noise.

a.

You should really consider moving away from legacy EAP methods. You're putting you user's credentials at risk.

Hi Tim,

many thanks for your response.

I'm not an expert in wireless networks, nor Radius-related auth methods, so I took your advice, and checked the CP settings.

Under the monitoring/access tracker menu I've found my login event, and there are this lines:

Summary:

So if I'm not wrong the user's credentials aren't at risk - what do you think about it?

Thanks again all of your help.

Regards,

a.

Legacy EAP methods like PEAP and EAP-TTLS are highly susceptible to MITM attacks. User credentials are always at risk and these EAP methods should be avoided at all costs.