Wireless Access

Reply
Occasional Contributor I

802.1x auth with external source (SQL/LDAP) - password hashing

Hi there,

I've read several discussions and receipes here, but didn't found any exact answer: is there any way to configure CP to use external source (SQL or LDAP), with password hashing? The configured auth metod is "EAP-PEAP,EAP-MSCHAPv2".

 

(The external SQL source with the PGsql had been configured and it works as well, but the passwords are storing as plaintext.)

 

Thanks,

 

a.

 

ps: here is a post, where I found that the LDAP source can use NTLM:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Can-we-do-802-1x-Authentication-with-EAP-PEAP-MSChapV2-on-CPPM/ta-p/184336
But if the LDAP can, PGSql why can't?

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Have you tested with NT Hash in a database and MSCHAPv2? According to the configuration, I would assume that it could work:

nthash.png

I have not tested it. Most LDAP servers don't carry or expose the NT Hash, so you will need to check there as well.

In case it does not work, I don't see a technical reason for it either. It might be that just nobody asked for it.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Hi Herman,

 

"Have you tested with NT Hash in a database and MSCHAPv2?"

Sure, but it didn't worked.

 

I've tried to modify the SQL:

SELECT password AS User_Password, password_hash AS Password_Hash, ssid AS SSID FROM Users WHERE username = '%{Authentication:Username}' AND ssid = LOWER('%{Radius:Aruba:Aruba-Essid-Name}');

and of course, the password_hash field stored the NTHash form of password. Still doesn't work.

With clearpass form the auth works as well. Also tried with this:

SELECT password AS User_Password, ....

where password field stored the NTHash form of passwd, but also didn't worked for me.

 

I'm totally confused, and don't know, what can we do now... :(

 

Thanks for your help,

 

a.

 

Guru Elite

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Why do you have an SSID query in there? Can you remove it and it test again?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Best is to open a TAC case. The TAC Engineer should be able to have a look together with you and find out if it is possible.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Hi Tim,

 

thanks for the answer - as I remember, I've checked it without SSID.

What do I need to place to query? The simple "User_Password" or "Password_Hash"?

 

"Why do you have an SSID query in there?"

Because we need to filter the different users (which may have same username, eg. "jsmith") on different networks. The SSID identifies the network.

 

Thanks,

a.

Occasional Contributor I

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Hi Herman,

 

thanks for your tip, I'll try it.

 

a.

Occasional Contributor I

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Well, thanks all of your help guys. Looks like I misunderstood something, or there were an ugly typo, or something else... but now it works, both LDAP and (PG)SQL.

 

I've found a website where I've generated the NT hashes, may be that gave me wrong hashes... don't know, but nevermind. It works.

 

Thanks again, and sorry dor the noise.

 

a.

Guru Elite

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

You should really consider moving away from legacy EAP methods. You're putting you user's credentials at risk.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x auth with external source (SQL/LDAP) - password hashing

Hi Tim,

 

many thanks for your response.

I'm not an expert in wireless networks, nor Radius-related auth methods, so I took your advice, and checked the CP settings.

 

Under the monitoring/access tracker menu I've found my login event, and there are this lines:

 

Summary:

Policies Used -
Service:
abc Service
Authentication Method:
EAP-PEAP,EAP-MSCHAPv2

 

Input / Computed Attributes:
Authentication:ErrorCode0
Authentication:Full-Usernameairween
Authentication:Full-Username-Normalizedairween
Authentication:InnerMethodEAP-MSCHAPv2
Authentication:MacAuthNotApplicable
Authentication:OuterMethodEAP-PEAP

So if I'm not wrong the user's credentials aren't at risk - what do you think about it?

 

Thanks again all of your help.

 

Regards,

a.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: