topic Re: trying to use webauth with a secure Active Directory in Switches, Hubs, and Modems

trying to use webauth with a secure Active Directory

Bruce Campbell_3 — Fri, 23 Feb 2007 09:20:44 GMT

We attempted to get webauth to work at our
site, on a 2650, using both a unix radius
server, and Active Directory radius server.

It does not work for us, it seems to
want reversibly encrypted passwords on
the server. (That would be a non starter
at our site.)

The error, on Windows, is:

>Reason = The user could not be authenticated >using Challenge Handshake Authentication >Protocol (CHAP). A reversibly encrypted >password does not exist for this user account. >To ensure that reversibly encrypted passwords >are enabled, check either the domain password >policy or the password settings on the user >account.

While on a simple unix radius server, it just
says that the radius packet does not contain
the password.

Is there any way to get this to work with
either a unix server running any radius
server, or with AD running any radius server ?

By the way, here is our switch config
fragment:

radius-server host a.b.c.d key testing
aaa port-access web-based 47
aaa port-access web-based 47 redirect-url "http://www.google.com"

It shows the web login page fine, just doesn't
allow login.

Re: trying to use webauth with a secure Active Directory

Mohieddin Kharnoub — Fri, 23 Feb 2007 13:18:09 GMT

Hi

You have configured the basic commands that the WEB auth. needs to work.

I suggest you to test authentication with some test users you create on the RADIUS, not on the active directory.

Good Luck !!!

Re: trying to use webauth with a secure Active Directory

Bruce Campbell_3 — Fri, 23 Feb 2007 13:25:11 GMT

We have RADIUS working fine with 802.1x port
authentication, and also fine with
telnet/console access. 802.1x only works
with eap-radius, in our environment
with irreversible password encryption.

What doesn't work is web auth, it seems
to require chap radius only.

Re: trying to use webauth with a secure Active Directory

Mohieddin Kharnoub — Fri, 23 Feb 2007 13:34:09 GMT

And your RADIUS server that is configured in your first post is EAP one or CHAP?

Can you run: show authentication.

Re: trying to use webauth with a secure Active Directory

Bruce Campbell_3 — Fri, 23 Feb 2007 13:42:30 GMT

eap for 802.1x (when 802.1x was tested
with chap, it didn't work, as passwords
are irreversibly encrypted in AD).

chap for webauth. (webauth only supports
chap).

show auth

Status and Counters - Authentication Information

Login Attempts : 3
Respect Privilege : Disabled

| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Local None Local None
Port-Access | EapRadius
Webui | Local None Local None
SSH | Local None Local None
Web-Auth | ChapRadius
MAC-Auth | ChapRadius

Re: trying to use webauth with a secure Active Directory

Mohieddin Kharnoub — Fri, 23 Feb 2007 14:09:57 GMT

Hi

Typically, MD5 is used as the CHAP one-way hash function; the shared secrets are required to be
stored in plaintext form.
Microsoft has a variation of CHAP (MS-CHAP), in which the password is stored encrypted in both the peer and the authenticator.

Therefore, MS-CHAP can take advantage of
irreversibly encrypted password databases commonly available, whereas the standards-based CHAP cannot.

Good Luck !!!

Re: trying to use webauth with a secure Active Directory

Bruce Campbell_3 — Mon, 26 Feb 2007 19:02:39 GMT

Procurve support has submitted a Customer
Enhancement Request on my behalf,
to support either MS-CHAP, or plain
RADIUS, for webauth.

Re: trying to use webauth with a secure Active Directory

Jeff Carrell — Wed, 28 Nov 2007 14:36:13 GMT

check out 5400 code version K.12.23+ for peap-mschapv2 support on web-auth...

this may solve your problem...

hth...jeff