Switches, Hubs, and Modems
1748161 Members
3839 Online
108758 Solutions
New Discussion юеВ

Re: trying to use webauth with a secure Active Directory

 
Bruce Campbell_3
Valued Contributor

trying to use webauth with a secure Active Directory


We attempted to get webauth to work at our
site, on a 2650, using both a unix radius
server, and Active Directory radius server.

It does not work for us, it seems to
want reversibly encrypted passwords on
the server. (That would be a non starter
at our site.)

The error, on Windows, is:

>Reason = The user could not be authenticated >using Challenge Handshake Authentication >Protocol (CHAP). A reversibly encrypted >password does not exist for this user account. >To ensure that reversibly encrypted passwords >are enabled, check either the domain password >policy or the password settings on the user >account.

While on a simple unix radius server, it just
says that the radius packet does not contain
the password.

Is there any way to get this to work with
either a unix server running any radius
server, or with AD running any radius server ?

By the way, here is our switch config
fragment:

radius-server host a.b.c.d key testing
aaa port-access web-based 47
aaa port-access web-based 47 redirect-url "http://www.google.com"

It shows the web login page fine, just doesn't
allow login.


Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
7 REPLIES 7
Mohieddin Kharnoub
Honored Contributor

Re: trying to use webauth with a secure Active Directory

Hi

You have configured the basic commands that the WEB auth. needs to work.

I suggest you to test authentication with some test users you create on the RADIUS, not on the active directory.

Good Luck !!!
Science for Everyone
Bruce Campbell_3
Valued Contributor

Re: trying to use webauth with a secure Active Directory


We have RADIUS working fine with 802.1x port
authentication, and also fine with
telnet/console access. 802.1x only works
with eap-radius, in our environment
with irreversible password encryption.

What doesn't work is web auth, it seems
to require chap radius only.
Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
Mohieddin Kharnoub
Honored Contributor

Re: trying to use webauth with a secure Active Directory

And your RADIUS server that is configured in your first post is EAP one or CHAP?

Can you run: show authentication.
Science for Everyone
Bruce Campbell_3
Valued Contributor

Re: trying to use webauth with a secure Active Directory


eap for 802.1x (when 802.1x was tested
with chap, it didn't work, as passwords
are irreversibly encrypted in AD).

chap for webauth. (webauth only supports
chap).



show auth

Status and Counters - Authentication Information

Login Attempts : 3
Respect Privilege : Disabled

| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Local None Local None
Telnet | Local None Local None
Port-Access | EapRadius
Webui | Local None Local None
SSH | Local None Local None
Web-Auth | ChapRadius
MAC-Auth | ChapRadius

Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
Mohieddin Kharnoub
Honored Contributor

Re: trying to use webauth with a secure Active Directory

Hi

Typically, MD5 is used as the CHAP one-way hash function; the shared secrets are required to be
stored in plaintext form.
Microsoft has a variation of CHAP (MS-CHAP), in which the password is stored encrypted in both the peer and the authenticator.

Therefore, MS-CHAP can take advantage of
irreversibly encrypted password databases commonly available, whereas the standards-based CHAP cannot.

Good Luck !!!
Science for Everyone
Bruce Campbell_3
Valued Contributor

Re: trying to use webauth with a secure Active Directory


Procurve support has submitted a Customer
Enhancement Request on my behalf,
to support either MS-CHAP, or plain
RADIUS, for webauth.

Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
Jeff Carrell
Honored Contributor

Re: trying to use webauth with a secure Active Directory

check out 5400 code version K.12.23+ for peap-mschapv2 support on web-auth...

this may solve your problem...

hth...jeff