Security

Hi folks,

We would like to use EAP-PEAP/MsCHAPv2 authentication on our wireless networks and implement a CPPM server. We have a legacy external postgesql, but the user's passwords stored only with SHA256 hash in it. I made a query but I get a REJECT message with user not found description. But if I add a new user with plain text password the authentication works well. Can anyone help for me, how can I resolve this ?

Table structure:
userid | username | password | ssid | created | modified

Filter query: SELECT password AS User_Password, ssid AS SSID FROM Users WHERE username = '%{Authentication:Username}' AND ssid = LOWER('%{Radius:Aruba:Aruba-Essid-Name}');

Hi Tim,

Thanks for your quick answer. Can you explain  a llittle bit deeper, I don't understand why.

In order to perform MSCHAPv2 authentication, you will need to have access to the NT-Hash of the password, which is a specific hash type.

So you need either the NT-Hash of the password in your database and give ClearPass access to it, or have the unencrypted version of the password available so ClearPass can calculate the password.

Please note that MSCHAPv2 is considered 'cracked' and no longer secure and should not be used unless you have full control over the client, like in an AD environment.

Thanks guys! It is clear for me now.