Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal uses PAP instead of PEAP for Radius?

This thread has been viewed 8 times

  • 1.  Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 08, 2013 12:57 PM

    Hello - 

    I am working on configuring a captive portal setup for our network. 

    I find that when I assign the Radius servers as the authentication method for the captive portal authentication keeps failing. Looking at my Radius logs, I find this:

    ------------

    Authentication Details:
    Proxy Policy Name: Use Windows authentication for all users
    Network Policy Name: FacStaff Dot1x Wireless (Offices Net)
    Authentication Provider: Windows
    Authentication Server: sturgeon.evergreen.edu
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

    ------------

     

    However, I can log in just fine to the management web ui, using the exact same AAA profiles / servers. When I review the logs for my login on the management ui, it shows this:

     

    -----------
    Authentication Details:
    Proxy Policy Name: Use Windows authentication for all users
    Network Policy Name: FacStaff Dot1x Wireless (Offices Net)
    Authentication Provider: Windows
    Authentication Server: sturgeon.evergreen.edu
    Authentication Type: PEAP
    EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier: -

    -----------

     

    Is this by design? Or am I missing something? I understand that normally PEAP would be used to encapsulate the request and pass it through to the radius server, but if the Web UI is able to that, why can't the captive portal? Or perhaps the question is why *won't* the captive portal? 



  • 2.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 08, 2013 02:41 PM
      |   view attached

    For Captive Portal, Aruba Controller will use PAP authenticatoin by default.

    I also had similar problem like yours, and I resolve it by changing the Network Policy Setting to allow PAP (i'm test it using Microsft NPS)

     



  • 3.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 08, 2013 06:57 PM

    Yes, I understand that I could set it to PAP, but I was hoping that because the Web UI works with PEAP, then maybe the captive portal would as well, but perhaps that's just not the way they were set up. Maybe the captive portal runs on its own separate web server? Functionally, they are doing the same thing. I have a username, and a password, Mr. Radius Server, what shall I tell this client?



  • 4.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 08, 2013 09:23 PM

    I am not sure how you are seeing PEAP authentication for management attempts.     Are you sure the event you are seeing is not from a wireless logon?   

     

    Both Captive Portal and Controller Management authentication use PAP by default; however can be configured to use MSCHAP.    When defining the management authentication server, you can set MSCHAPv2 rather than PAP, but you cannot set PEAP.  You can do the same for Captive Portal in the captive portal profile.

     

     



  • 5.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 08, 2013 09:32 PM

    On WebUI, did you notice which auth you select when doing AAA testing?

    There are 2 options available, using MSCHAP2 or PAP. 

     

    But unfortunatelly in CP, you are tied with CHAP or PAP options only (default is PAP)

     

    Maybe Aruba Dev Team will add it if you ask them in IDEAS section.

     

    Regards

    -S-

     

     



  • 6.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    EMPLOYEE
    Posted Mar 09, 2013 05:28 PM

    I am sure you understand by now, but please see here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-575



  • 7.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Mar 11, 2013 11:49 AM

    Yes, I have set up separate Radius servers in the policies, so that's not the issue.

    I guess the answer is just "That's the way is it, sorry."

     

    As for whether I know if it's from a wireless client via 802.1x or if it's from me logging in to the management UI, I have a special privileged account used for managing devices, and do not log in to the wireless network with that account so it's pretty simple to tell them apart in the RADIUS logs.



  • 8.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Jul 03, 2014 04:06 PM

    The manual of ArubaOS commands says about  "use-chap" option --> "Use CHAP protocol. You should not use this option
    unless instructed to do so by an Aruba representative."

     

    Why not use MSCHAP2 protocol to authenticate captive portal users? PAP is more insecure, it's not?

     

    And the problem reported in this KB https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-575 is valid for MS Win 2008?



  • 9.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    EMPLOYEE
    Posted Jul 03, 2014 04:16 PM

    That "use-chap" option is a nonstandard version of Chap.  Please see tthe whole answer to your question here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1050

     



  • 10.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    Posted Jul 04, 2014 10:46 AM

    Thank you Colin.

     

    But, is the communication between wireless controller and Radius server in clear text?



  • 11.  RE: Captive Portal uses PAP instead of PEAP for Radius?

    EMPLOYEE
    Posted Jul 04, 2014 10:48 AM
    No. It is encrypted with the radius server's key. That it is why it is important to have a long and secure key.