Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

This thread has been viewed 11 times

  • 1.  AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    Posted Jun 27, 2018 10:29 PM

    So I have a WPA2 Enterprise network setup. The APs connect to two Windows 2012 R2 servers running NPS. The radius policy on these servers grants access to workstations that belong to a specific AD group, and only PEAP is enabled

     

    My question is, what information does the workstation pass to the AP to authenticate against AD via radius , and how is this information secured?



  • 2.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    EMPLOYEE
    Posted Jun 27, 2018 10:40 PM

    PEAP (and other legacy EAP methods) should be avoided at all costs as there is a high risk for MITM on devices that are not configured correctly.

     

    To directly answer your question, the inner method (EAP-MSCHAPv2) uses the NTLMv1 hash in a challenge/response between the supplicant (client) and EAP server.



  • 3.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    Posted Jun 27, 2018 11:15 PM

    You say EAP-MSCHAPv2 is used, but I don'ty have that enabled in NPS. The wording of the available options makes me think PEAP is the most secure option?

    peap.jpg

     

    So what is the more secure way to configure the NPS on the 2012 server? The other two options are Microsoft Smart Card or Other certificate, or Microsoft Secured password (EAP-MSCHAP v2).



  • 4.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    Posted Jun 27, 2018 11:25 PM

    I dug a little deeper, and found what you're referring to - EAP-MSCHAP v2 is set within the PEAP settings.

    peap2.pngMy other question stands - what's a better (best) way to configure this?

    Cheers



  • 5.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?
    Best Answer

    EMPLOYEE
    Posted Jun 28, 2018 04:56 AM

    I recorded this video on this topic (PEAP/MSCHAPv2), it explains what the problem is and why you should avoid it if whenever it is possible and think twice in case you can't avoid it.

     

    In summary: Only deploy these legacy methods if you either don't care about security or losing user credentials, or if you have 100% control over the end-user device. As this strict client control is seldom the case, move to EAP-TLS (or PEAP with certificates) if you need a secure solution.

     

    Unfortunately, I don't have a guide on how to set this up with NPS, but I have done this once in the past and didn't run into big issues as far as I can remember. Biggest challenge in most deployments is how to get certificates enrolled to the clients, and how to get the clients configured. In a Windows environment there are tools available with group policies and the Windows Certificate Services. For other devices like BYOD you might need to have a look at MDM solutions or ClearPass Onboard. 

     



  • 6.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    Posted Jun 28, 2018 04:00 PM

    Thanks for posting the video - that was very informative :-)

     

    I'm using this for domain laptops, so I've set a group policy that ensures certificates are verified and that users can't accept cert changes, so as far as PEAP goes it's secure. But I'll research EAP-TLS and PEAP with certs and implement whichever is most secure.

     

    Thanks again for the informative post.



  • 7.  RE: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

    EMPLOYEE
    Posted Jun 28, 2018 09:34 AM

    Use EAP-TLS.