Security

Hi,

How can I use PEAP while connecting VIA VPN? I found lots of EAP-TLS but could not find EAP-PEAP details. Can anybody knows how to configure controller (8.X) for PEAP.  I am using freeradius 3.x. I have tested the freeradius with PEAP-Mschapv2. It is working.


IKEv2 passthrough EAP-PEAP and EAP-MSCHAPV2 is checked. But freeraius complain about "client sends MSCHAPV2 EAP type". I do not want to use MSCHAPv2 at outer EAP.

Thanks in advance.

Error Message:

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
(2) eap: ERROR: No mutually acceptable types found

Hi,

To reply myself. I could not find any evidence about APP client support for EAP-PEAP. EAP-MSCHAPv2 is worked. I do not know how PASSTHROUGH working if client is not supporting PEAP.

If you know or find any referances please write.

Thanks in advance.
Original Message:
Sent: Dec 07, 2022 05:20 AM
From: husnu demir
Subject: Aruba VIA VPN Client - PEAP Support

Hi,

How can I use PEAP while connecting VIA VPN? I found lots of EAP-TLS but could not find EAP-PEAP details. Can anybody knows how to configure controller (8.X) for PEAP.  I am using freeradius 3.x. I have tested the freeradius with PEAP-Mschapv2. It is working.


IKEv2 passthrough EAP-PEAP and EAP-MSCHAPV2 is checked. But freeraius complain about "client sends MSCHAPV2 EAP type". I do not want to use MSCHAPv2 at outer EAP.

Thanks in advance.

Error Message:

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
(2) eap: ERROR: No mutually acceptable types found

Please be informed that MSCHAPv2 is broken technology and should be avoided whenever possible. See Microsoft advice. EAP-TLS is the approriate replacement. I'm not sure if VIA supports PEAP authentication at all.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 07, 2022 05:20 AM
From: husnu demir
Subject: Aruba VIA VPN Client - PEAP Support

Hi,

How can I use PEAP while connecting VIA VPN? I found lots of EAP-TLS but could not find EAP-PEAP details. Can anybody knows how to configure controller (8.X) for PEAP.  I am using freeradius 3.x. I have tested the freeradius with PEAP-Mschapv2. It is working.


IKEv2 passthrough EAP-PEAP and EAP-MSCHAPV2 is checked. But freeraius complain about "client sends MSCHAPV2 EAP type". I do not want to use MSCHAPv2 at outer EAP.

Thanks in advance.

Error Message:

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
(2) eap: ERROR: No mutually acceptable types found

Hi,

Thanks for responce. No problem to use with MSCHAPv2 but be sure we will move to TLS asap. 

When I saw PEAP passthrough, I thought that it would be possible but could not find from the controllers' config details. Aruba is good for overall configuration details and docs but not good for VIA docs.

I have problems with MS Windows 11 22H2 so decided to go with new configs, then we are here. MS prevent most of the unreliable protocols (SHA, MD5, vs) and changed how security is implemented in their OS. They caused some trouble. We are dealing with that. We found that IKEv2 worked (somehow) but as you know IKEv2 is not working with PAP in EAP. Perhapes it is time to go with CERTs.

Thanks in advance.

Original Message:
Sent: Dec 08, 2022 08:08 AM
From: Herman Robers
Subject: Aruba VIA VPN Client - PEAP Support

Please be informed that MSCHAPv2 is broken technology and should be avoided whenever possible. See Microsoft advice. EAP-TLS is the approriate replacement. I'm not sure if VIA supports PEAP authentication at all.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 07, 2022 05:20 AM
From: husnu demir
Subject: Aruba VIA VPN Client - PEAP Support

Hi,

How can I use PEAP while connecting VIA VPN? I found lots of EAP-TLS but could not find EAP-PEAP details. Can anybody knows how to configure controller (8.X) for PEAP.  I am using freeradius 3.x. I have tested the freeradius with PEAP-Mschapv2. It is working.


IKEv2 passthrough EAP-PEAP and EAP-MSCHAPV2 is checked. But freeraius complain about "client sends MSCHAPV2 EAP type". I do not want to use MSCHAPv2 at outer EAP.

Thanks in advance.

Error Message:

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping...
(2) eap: ERROR: No mutually acceptable types found