Primary (K-12) Education

 View Only
last person joined: 3 days ago 

Got networking questions for schools or want to know more about E-rate? Submit them here!
Back to discussions
Expand all | Collapse all

Migrating from mschapV2 AAA authentication to eap-tls

This thread has been viewed 2 times

  • 1.  Migrating from mschapV2 AAA authentication to eap-tls

    Posted 2 days ago

    Hello All in the education sector,

    Looking to migration from mschapV2 AAA authentication to EAP-TLS. Reason being District purchased new CX switches a few months back and planning on buying another 90+ on e-rate shortly however, CX models no longer have mschapV2 AAA authentication commands and this is a big problem. 

    Would it be better to pay for upgrading the whole of the 292 switch environment to Clearpass, or doing the conversion myself to EAP-TLS?

    Environment:

    Procurves 2920s

    Aruba 5406zlr2

    Aruba CX (I forget the model)

    Windows NPS

    Windows Certificate Authority



  • 2.  RE: Migrating from mschapV2 AAA authentication to eap-tls

    Posted 2 days ago

    Not sure what you configured today for mschapv2 on your switch, and normally for aaa port-access you configure the EAP method (PEAP-MSCHAPv2 or EAP-TLS or TEAP) ion your RADIUS server (probably NPS in your case), and on the client and on the RADIUS server, not on the switch.

    It's strongly advised to move away from legacy mschapv2 as the protocol has known security weaknesses (for years already) and EAP-TLS or other EAP methods with client certificates are the most logical direction. You don't need ClearPass for EAP-TLS, you should be able to configure that with NPS as well (I know it's possible, but don't ask me how to do it). With ClearPass it's just much easier to set up and more important to troubleshoot if you have issues.

    As this is a quite radical design decision, it may be better to work with your Aruba partner, or someone familiar with this subject and your environment as it's important to get this designed properly. The switch models are less important as it's all standards based.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message