Wireless Access

Reply
Occasional Contributor I

AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

So I have a WPA2 Enterprise network setup. The APs connect to two Windows 2012 R2 servers running NPS. The radius policy on these servers grants access to workstations that belong to a specific AD group, and only PEAP is enabled

 

My question is, what information does the workstation pass to the AP to authenticate against AD via radius , and how is this information secured?

Guru Elite

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

PEAP (and other legacy EAP methods) should be avoided at all costs as there is a high risk for MITM on devices that are not configured correctly.

 

To directly answer your question, the inner method (EAP-MSCHAPv2) uses the NTLMv1 hash in a challenge/response between the supplicant (client) and EAP server.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

You say EAP-MSCHAPv2 is used, but I don'ty have that enabled in NPS. The wording of the available options makes me think PEAP is the most secure option?

peap.jpg

 

So what is the more secure way to configure the NPS on the 2012 server? The other two options are Microsoft Smart Card or Other certificate, or Microsoft Secured password (EAP-MSCHAP v2).

Occasional Contributor I

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

I dug a little deeper, and found what you're referring to - EAP-MSCHAP v2 is set within the PEAP settings.

peap2.pngMy other question stands - what's a better (best) way to configure this?

Cheers

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

I recorded this video on this topic (PEAP/MSCHAPv2), it explains what the problem is and why you should avoid it if whenever it is possible and think twice in case you can't avoid it.

 

In summary: Only deploy these legacy methods if you either don't care about security or losing user credentials, or if you have 100% control over the end-user device. As this strict client control is seldom the case, move to EAP-TLS (or PEAP with certificates) if you need a secure solution.

 

Unfortunately, I don't have a guide on how to set this up with NPS, but I have done this once in the past and didn't run into big issues as far as I can remember. Biggest challenge in most deployments is how to get certificates enrolled to the clients, and how to get the clients configured. In a Windows environment there are tools available with group policies and the Windows Certificate Services. For other devices like BYOD you might need to have a look at MDM solutions or ClearPass Onboard. 

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Guru Elite

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

Use EAP-TLS.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: AD-Auth via Radius - What does the client pass to the AP, and how is it secured?

Thanks for posting the video - that was very informative :-)

 

I'm using this for domain laptops, so I've set a group policy that ensures certificates are verified and that users can't accept cert changes, so as far as PEAP goes it's secure. But I'll research EAP-TLS and PEAP with certs and implement whichever is most secure.

 

Thanks again for the informative post.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: