• November 23, 2020, 05:18:11 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Active Directory authentication without PAP and cleartext passwords  (Read 5323 times)

0 Members and 1 Guest are viewing this topic.

Offline PaulN

  • Rookie
  • **
  • Posts: 6
Has anyone found a way to authenticate WiFi users against Active Directory without requiring "reversible encryption" for AD user passwords?  Microsoft considers that equivalent to storing passwords in clear text. 

The official HOWTO for AD Auth uses LDAP authentication with PAP, which requires reversible encryption.  MSCHAPv2 support is said to be planned for WiNG 5.5, but if Moto sells off the division, will anyone see it?

Googling motorola "ad agent" brings up an (unreleased draft?) white paper from 2008 suggesting someone considered giving the controller direct access to AD using PEAP and MSCHAPv2.  Apparently never shipped(?)

We have RFS6000 on 5.3.1 and AP7131s.  All ideas and hints will be gratefully welcomed!

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3842
    • michaelfmcnamara
    • Michael McNamara
Re: Active Directory authentication without PAP and cleartext passwords
« Reply #1 on: November 05, 2013, 08:42:45 PM »
Hi PaulN and welcome to the forums!

You are referring to leveraging Windows 2003 Internet Authentication Server or Windows 2008 Network Policy Server for RADIUS authentication?

I believe it's still a requirement... I believe the passwords are still hashed but the hash strength is relatively weak. I would look at it like this... regardless of the hash strength, if they have weeks or time they are probably going to find a large number of hashes. Your best effort is to secure your domain controllers and restrict domain admin access.

We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Harry

  • Rookie
  • **
  • Posts: 11
Re: Active Directory authentication without PAP and cleartext passwords
« Reply #2 on: January 23, 2014, 10:07:02 PM »
@ McNamara,

How about Windows Server 2012 Datacenter edition, AD and Radius separately?
MSCHAPV2 works if authentication with Controller?

if only we use AD and Radius and AP8232 only, without controller, there's condition can works for Laptop client connect to wireless AP8232?

AD: for user&groups only
Radius: for authentication (certificate)
AP8232: just pass through.

Thanks for fast reply

Offline PaulN

  • Rookie
  • **
  • Posts: 6
Re: YES! Active Directory authentication without PAP and cleartext passwords
« Reply #3 on: February 04, 2014, 12:10:25 PM »
Thanks Michael for your reply and these forums.  After much Googling and trial/error, with RFS 6000, WiNG 5.3.1 and AP7131, we can authenticate reliably and securely against Active Directory, using 802.1x, WPA2, PEAP and MS-CHAPv2.  We run Microsoft's Network Policy Server (NPS) on a Windows 2008 R2 Enterprise Server domain controller.  Enterprise edition is required on the domain Certificate Authority server, which for us runs Windows 2003.

Some of our RFS config (sanitized):

aaa-policy AD\ NPS\ RADIUS
 authentication server 1 host IPofNPSserver secret 0 LongSecretGeneratedByMicrosoft
 authentication server 1 proxy-mode through-controller

wlan Test1X
 ssid Test1X
 vlan 1
 bridging-mode local
 encryption-type ccmp
 authentication-type eap
 no client-client-communication
 wireless-client reauthentication 3600
 wpa-wpa2 psk 0 ThisKeyIsNotUsed
 wpa-wpa2 exclude-wpa2-tkip
 data-rates 2.4GHz gn
 no motorola-extensions symbol-load-information
 use wlan-qos-policy Our\ QoS\ Policy
 use aaa-policy AD\ NPS\ RADIUS

Here's what finally got it working for us on the Microsoft side:

On domain Certificate Authority use MMC to modify Certificate Template for [b]Domain Controller Authentication[/b] selecting Subject to be DNS Entry instead of none (the default).  This requires Enterprise edition, at least in Windows 2003. 

Then on the NPS server that's a DC do gpupdate /force. Start MMC and add the Certificates snap-in, choosing to "always manage certificates for" Computer Account (NOT user or service).   Start new snap-in labeled Certificate (Local Computer).  Find the local cert that uses the template Domain Controller Authentication and reissue it with new key (?).  We requested a new cert and deleted old.

Then in NPS under Network Policy, edit your defined policy.  UNcheck all authorization methods below the listbox which shows Protected EAP (PEAP).  Then edit Protected EAP and accept defaults (not sure if this step is necessary). Choose OK on policy edit.