Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

WAP321 captive portal with radius authentcation

Hi there,

i have to set up a WAP321 with captive portal and radius-authentication against a microsoft nps.

Unfortunately the nps gives me the error, that the eap-type is not correct.

Can anyone tell me what type of eap the WAP321 uses?


Andreas Koch

Community Member

I had this problem too and

I had this problem too and found out via Wireshark Capture that MD5 EAP Type is being used. This is odd as the regular WPA2-Enterprise RADIUS uses EAP-PEAP while the Captive Portal Uses EAP-MD5, a relatively insecure protocol to be using for this purpose.

Nonetheless, I am authenticating against NPS Service in Windows Server 2012 R2, and in order to get MD5-Challenge to appear as an option for Authentication Method in your Network Policy, you must add this feature back into the Windows Registry and restart the NPS Service.

After this is done, you must enable "Store Password Using Reversible Encryption" on the Active Directory user account you are going to be using for the Captive Portal, and then reset the password (even if you are going to be using the same password) to allow Active Directory to regenerate a new hash that allows for reversible encryption, otherwise you will get either "IAS_AUTH_FAILURE" or "No reversibly encrypted password is stored for the user account"

After all this is done, you should be able to login via your Domain Credentials and get an "IAS_SUCCESS" in your log.

Here is the registry key that must be imported to enable EAP-MD5 in Windows NPS. Simply copy and paste into Notepad and save it as a .REG file.

Note: This has only been tested on Windows Server 2012 R2.

Windows Registry Editor Version 5.00

Disclaimer: Enabling EAP-MD5 is not recommended in a production environment due to security weaknesses.


Viele Grüße


CreatePlease to create content