×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WAP321 captive portal with radius authentcation

Unanswered Question
Nov 20th, 2013
User Badges:

Hi there,


i have to set up a WAP321 with captive portal and radius-authentication against a microsoft nps.


Unfortunately the nps gives me the error, that the eap-type is not correct.


Can anyone tell me what type of eap the WAP321 uses?


Thanks

Andreas Koch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
achim.kong Wed, 05/11/2016 - 10:39
User Badges:

I had this problem too and found out via Wireshark Capture that MD5 EAP Type is being used. This is odd as the regular WPA2-Enterprise RADIUS uses EAP-PEAP while the Captive Portal Uses EAP-MD5, a relatively insecure protocol to be using for this purpose.

Nonetheless, I am authenticating against NPS Service in Windows Server 2012 R2, and in order to get MD5-Challenge to appear as an option for Authentication Method in your Network Policy, you must add this feature back into the Windows Registry and restart the NPS Service.

After this is done, you must enable "Store Password Using Reversible Encryption" on the Active Directory user account you are going to be using for the Captive Portal, and then reset the password (even if you are going to be using the same password) to allow Active Directory to regenerate a new hash that allows for reversible encryption, otherwise you will get either "IAS_AUTH_FAILURE" or "No reversibly encrypted password is stored for the user account"

After all this is done, you should be able to login via your Domain Credentials and get an "IAS_SUCCESS" in your log.

Here is the registry key that must be imported to enable EAP-MD5 in Windows NPS. Simply copy and paste into Notepad and save it as a .REG file.

Note: This has only been tested on Windows Server 2012 R2.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\4]
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
  61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001
"RolesSupported"=dword:0000000a

Disclaimer: Enabling EAP-MD5 is not recommended in a production environment due to security weaknesses.


===============

Viele Grüße

Achim

Actions

This Discussion