Community Feedback

last person joined: 3 days ago 

How is the community doing? Do you have any questions or feedback related for the Airheads Community team? This is the place to let us know.
Back to discussions
Expand all | Collapse all

Please can someone explain how MSCHAPV2 works with LDAP

This thread has been viewed 11 times

  • 1.  Please can someone explain how MSCHAPV2 works with LDAP

    Posted Mar 19, 2019 05:11 PM

    Please can someone explain how MSCHAPV2 works with LDAP? Is it supported - and what are the limitations of using MSCHAPV2 with LDAP. How do LDAP Binds work with MSCHAPV2. 

     

    Why would LDAPS be preferred?

     

    I find figuring out what works best with LDAP very confusing. 



  • 2.  RE: Please can someone explain how MSCHAPV2 works with LDAP

    EMPLOYEE
    Posted Mar 19, 2019 08:55 PM

    Long story short: don't use LDAP.  Use Radius for encryption.  LDAP works fine for Captive Portal authentication.  If you use it for 802.1x, you will be forced to install a custom supplicant on your clients.  LDAP-s is the same thing.  Please use radius and don't use LDAP.

     

     



  • 3.  RE: Please can someone explain how MSCHAPV2 works with LDAP

    EMPLOYEE
    Posted Mar 21, 2019 08:49 AM

    Little more background on this. In order to do an MSCHAPv2 authentication, which you should avoid and move to TLS instead (search MSCHAPv2 cracked for the why), you need access to either the user password in plaintext or the NT-hash of the password.

     

    LDAP servers try to avoid storing plaintext passwords and NT hashes, so they don't have access to the information to perform an MSCHAPv2 authentication.

     

    So the short summary is indeed that LDAP servers don't support the use of PEAP-MSCHAPv2 authentication and you will need a RADIUS that has deeper integration into your authentication system (like AD). This is also the reason why ClearPass needs to be joined to the domain to support MSCHAPv2, as the domain join is needed to get access to the NT-hashes.