Security

After upgrade to ClearPass 6.5 we are interested in method EAP-PWD.

We have tested this method with Freeradisus 3.0 without problems.

 

May be there are a problem in ClearPass 6.5 with the format (NThash, PasswordHashHash) of the password atrribute?

 

Any suggestions to solve the problem?

 

Thanks in advance,

Toni Pérez

 

-------------------------------------------------------------------------

 

Our Problem:
-------------------------------------------------------------------------

We have tested local users and LDAP users with the same problem in Access Tracker:

 

• EAP-PWD: User-Password not available
  EAP-PWD: Cannot retrieve User Password

Analyzing logs in debug mode for a local user:

• DEBUG RadiusServer.Radius - rlm_sql (auth_local_db): User toniperez found
  INFO RadiusServer.Radius - rlm_sql: found user toniperez in Local:localhost
  DEBUG RadiusServer.Radius - rlm_eap: processing type pwd instance EAP PWD]
  DEBUG RadiusServer.Radius - The request contains following persistent config items
  DEBUG RadiusServer.Radius - Crypt-Password = <REMOVED>
  DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
  DEBUG RadiusServer.Radius - Persisted-User-Name = "toniperez"
  DEBUG RadiusServer.Radius - Authentication-Source = "Local:localhost"
  DEBUG RadiusServer.Radius - rlm_eap_pwd: eap_pwd_authenticate peer id - toniperez
  DEBUG RadiusServer.Radius - rlm_eap_pwd: request user name toniperez, peer id toniperez
  DEBUG RadiusServer.Radius - Crypt-Password = <REMOVED>
  DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
  DEBUG RadiusServer.Radius - Persisted-User-Name = "toniperez"
  DEBUG RadiusServer.Radius - Authentication-Source = "Local:localhost"
  DEBUG RadiusServer.Radius - Authentication-Source-Name = "Local User Repository]"
  DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
  ERROR RadiusServer.Radius - failed to find password for toniperez to do pwd authentication

Analyzing logs in debug mode for an LDAP user with NT-Hash attribute:

• DEBUG RadiusServer.Radius - rlm_ldap: Retrieved NT-Password
  INFO RadiusServer.Radius - rlm_ldap: found user abc123 in Ldap:ldap.domain.com
  DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
  DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
  DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
  ERROR RadiusServer.Radius - failed to find password for abc123 to do pwd authentication
  
  

 

Hi Toni,

 

  I'm glad you're interested in EAP-pwd. Sorry you're running into a problem. If it's the same client interoperating with FreeRADIUS fine and not interoperating with ClearPass that seems to point to ClearPass.

 

  Is it possible for you to try using a plaintext password? If that works with ClearPass it will narrow down the issue. 

 

  thanks and regards,

 

  Dan.

 

Hi Dan,

 

I don't know how to create a local user in ClearPass with Clear-Text-Password attribute in DB (like i do in users file in Freeradius).

I will try with a new LDAP attribute with Clear-Text-Password instead of NT-Hash attribute. I will inform you if it works tomorrow.

 

In my LDAP server all users passwords are in NT-Hash=MD4(Clear-Text-Password) for PEAP-MsCHAPv2 support.

I can understand from https://tools.ietf.org/html/draft-harkins-emu-eap-pwd-14#section-2.7.2 that supported  password for EAP-PWD are:

• Clear-Text
• PasswordHashHash= MD4(MD4(Clear-Text-Password))= MD4(NT-Hash)

 

Best regards,

Toni Pérez

Hi,

 

I have modified in our LDAP the attribute of password with ClearText value and modify Authentication-Source-LDAP password type to ClearText and works fine.

 

• LDAP Cleartext attribute:
  DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
  DEBUG RadiusServer.Radius - User-Password = <REMOVED>
  DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
  INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
• LDAP NT-Hash attribute:
  DEBUG RadiusServer.Radius - Persisted-User-Name = "abc123"
  DEBUG RadiusServer.Radius - NT-Password = <REMOVED>
  DEBUG RadiusServer.Radius - Authentication-EAP-Method = "pwd"
  ERROR RadiusServer.Radius - failed to find password for abc123 to do pwd authentication
  DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 153071

Regards,

Toni Pérez

 

  Hi Toni,

 

  Thanks for the info. Looks like we've been able to reproduce this ourselves.

We will have an update shortly for you on a release in which this will be fixed.

 

  Thanks for your patience,

 

  Dan.

 

Hi,

 

We have upgraded to ClearPass 6.5.1 with the same issue.

EAP-PWD only find password in our LDAP with Password Type in Clear-Text.

Local User and LDAP with Password Type NT-Hash results with a User-Password not available.

 

ClearPass authentication error:

       EAP-PWD: User-Password not available
       EAP-PWD: Cannot retrieve User Password

 

Can you reproduce this issue with a Local User?

 

Regards,

Toni Pérez

 

We have finally closed the case with Bug id #29771:

 

The EAP-PWD supplicant and CPPM both do not support EAP-PWD authentication with passwords in NT-Hash format even though RFC supports this. We may support this sometime in future.

 

In 6.5.1, user passwords are only stored in non-reversible hash format in [Local User Repository].

Because of this EAP-PWD authentication will fail. In 6.5.2, an option has been added to store

passwords in reversible hash format also. With this change, EAP-PWD authentication will work

against [Local User Repository].

 

Hi,

Any news with NThash support for eap-pwd in ClearPass?

There are roadmap to add salted password databases to eap-pwd to clearpass?
https://tools.ietf.org/html/draft-harkins-salted-eap-pwd-08

Support of salted eap-pwd for eduroamCAT supplicant?

Best regards,
Toni Pérez