HPE Community
Switches, Hubs, and Modems
1752777 Members
6173 Online
108789 Solutions
New Discussion юеВ

peap-mschapv2 on web authentication

 
procurvenewbee
Frequent Advisor

тАО10-09-2008 08:56 PM

тАО10-09-2008 08:56 PM

peap-mschapv2 on web authentication

How does peap-mschapv2 work on an endpoint via web browser for web authentication to switch?

Traditionally we will need to set up supplicant / client to use an authentication protocol to forward / hash / encapsulate credentials to the authenticator in switch. In this case, there is nothing set up, so how will client (in this case internet explorer) knows that it has to use machapv2 as inside protocol and peap as outside tunnel as this is not the case of 802.1x configured supplicant.

Yes the switch in this case will send a challenge to client, when client tries to open a browser and present a window on a webpage to supply the credentials, but still the sent credentials will need to be in mschapv2 format ( both way authentication).

Doing a reserch on google does not come up with anything (other than a couple procurve references) on use of mschapv2 or peap-mschapv2 for web page authentication. Procurve documentation is not helpful as it does not explain how is a browser client supposed to use peap-mschapv2.

Any feedback will be appreciated.

Thanks
0 Kudos
5 REPLIES 5
Matt Hobbs
Honored Contributor

тАО10-13-2008 05:27 AM

тАО10-13-2008 05:27 AM

Re: peap-mschapv2 on web authentication

I thought the manual was quite good.

http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-4-WebMacAuth.pdf

Basically, your web browser can use either unencrypted HTTP, or encrypted HTTPS between the client and the switch.

The peap-mschapv2 part is for the connection between the switch and the RADIUS server.

0 Kudos
procurvenewbee
Frequent Advisor

тАО10-13-2008 11:49 AM

тАО10-13-2008 11:49 AM

Re: peap-mschapv2 on web authentication

Thanks Matt. I did figure out this after further thinking more about this, but still could not understand the use of PEAP between NAS and the Radius server. MSChapv2 to enable against clear text transfer of credentials but what will be the use of Peap here.

0 Kudos
Matt Hobbs
Honored Contributor

тАО10-14-2008 04:48 AM

тАО10-14-2008 04:48 AM

Re: peap-mschapv2 on web authentication

The main advantage with using peap-mschapv2 for web-auth is that you don't have to enable reversible encryption on all your user accounts (which is what you previously needed to do when only CHAP was an option).
0 Kudos
procurvenewbee
Frequent Advisor

тАО10-14-2008 05:36 PM

тАО10-14-2008 05:36 PM

Re: peap-mschapv2 on web authentication

Really?

I thought CHAP or any variation of CHAP (mschap v2) will still require radius to retrieve password from say AD (which will normally store password as one way hashed MD5/ irrersible and that will fail for chap as it requires clear or reversible encryption storage) to be able to hash it with challenge received from NAS/Switch and then compared two hashes. How does mschap with peap tunneling get away with requirement of not requiring passwords to be stored on AD with reversible encryption?

Thanks
0 Kudos
Matt Hobbs
Honored Contributor

тАО10-15-2008 04:16 AM

тАО10-15-2008 04:16 AM

Re: peap-mschapv2 on web authentication

It's PEAP!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.