NPS & EAP-MD5
- Hi there,
We are currently working on the deployment of 802.1x enterprise-wide. Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.
When we tested it prior, we were running Windows 2003 + IAS. The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable. We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.
I've just finished setting that up, and it works perfect. We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers). We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work. After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008. They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.
My question is, has anyone else ran into this problem? If so, how did you go about fixing it. Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches. I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.
Thanks!
Warren
Answers
- EAP-MD5 was removed from Windows 2008 because of its inherent lack of security. However, the MD5 functionality still exists in the RASCHAP dll. You can turn on MD5 with the following registry keys:
To re-enable EAP-MD5 support in versions of Windows Vista, add the following registry entries:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4
Value name: RolesSupported
Value type: REG_DWORD
Value data: 0000000a
Value name: FriendlyName
Value type: REG_SZ
Value data: MD5-Challenge
Value name: Path
Value type: REG_EXPAND_SZ
Value data: %SystemRoot%\System32\Raschap.dll
Value name: InvokeUsernameDialog
Value type: REG_DWORD
Value data: 00000001
Value name: InvokePasswordDialog
Value type: REG_DWORD
Value data: 00000001
For more information about our removal of MD5 from Vista and NPS, see KB922574
http://support.microsoft.com/kb/922574/en-us
Clay Seymour - MSFT- Proposed As Answer byClay SeymourMSFTThursday, September 04, 2008 2:23 PM
- Marked As Answer byGreg LindsayMSFT, OwnerSunday, September 21, 2008 7:07 PM
- I have managed to get my Mitel phone working on NPS. However I did this in a rather long winded fashion. I installed IAS on a Test domain controller running Windows 2003, checked that the Mitel Phone worked and then upgraded to Windows 2008.
I think this may have fixed the problem for one or both of the following reasons:-
1) As IAS was installed on a DC it was able to authenticate using just the short username i.e. 'mitelphone' rather than 'MYDOMAIN\mitelphone' (you cannot enter a backslash on a Mitel phone)
2) Although I ameded the registry to add back in MD5 there may have been other components missing that were retained in the process of upgrading 2003 to 2008. I noted that the technet article only mentioned Vista, which maded me wonder if this is a client side fix only?
James- Marked As Answer byGreg LindsayMSFT, OwnerSunday, September 21, 2008 7:08 PM
All Replies
Hi
This post has shed some light on why my Mitel 5220 handsets are not working with NPS. I do not understand why they would have removed this as an option. I guess I am going to have to some how proxy these IP Phones to another radius server instead. Any other solutions would be greatly appreciated.
I am working on a project that will involve two organizations sharing the same physical LAN and NPS seems like a good fit as it will let me authenticate users and computers from both organizations Active Directories something I could never get the Cisco ACS to do. As you indicated I had also discounted the 2003 IAS Radius because of security concerns.
James- EAP-MD5 was removed from Windows 2008 because of its inherent lack of security. However, the MD5 functionality still exists in the RASCHAP dll. You can turn on MD5 with the following registry keys:
To re-enable EAP-MD5 support in versions of Windows Vista, add the following registry entries:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4
Value name: RolesSupported
Value type: REG_DWORD
Value data: 0000000a
Value name: FriendlyName
Value type: REG_SZ
Value data: MD5-Challenge
Value name: Path
Value type: REG_EXPAND_SZ
Value data: %SystemRoot%\System32\Raschap.dll
Value name: InvokeUsernameDialog
Value type: REG_DWORD
Value data: 00000001
Value name: InvokePasswordDialog
Value type: REG_DWORD
Value data: 00000001
For more information about our removal of MD5 from Vista and NPS, see KB922574
http://support.microsoft.com/kb/922574/en-us
Clay Seymour - MSFT- Proposed As Answer byClay SeymourMSFTThursday, September 04, 2008 2:23 PM
- Marked As Answer byGreg LindsayMSFT, OwnerSunday, September 21, 2008 7:07 PM
- Thanks for the reply, I have now enabled MD5 authentication. I am now struggling to see how to setup the Mitel IP Phone, most of the NPS options seem to focus on Windows clients. I have setup a Network Policy called 'IP Phone' within NPS using the MD5 challenge EAP Type. I have set the attributes 64, 65 and 81 plus the vendor specific Cisco-AV-Pair to device-traffic-class=voice. On the conditions tab I have selected Domain users and created a windows user for the phone to use. However it does not seem to work. I think I must be doing something fundamentally wrong. I have had these Mitel phones working with Cisco ACS so I think I have setup NPS in the same manner.
Any help would be greatly appreciated.
Thanks James - Some further information
The following document details a RADIUS solution using Mitel IP Phones and MS IAS server. However it doesn’t go into the technical detail of how to configure IAS for Mitel Phones.
This document details the technical configuration of IAS server to support Avaya IP Phones.http://www.avaya.co.uk/emea/en-us/resource/assets/applicationnotes/extreme-dot1x01.pdf
I really need a document that details how to configure IAS (Windows 2003) or NPS (Windows 2008) to support Mitel IP Phones. I have done quite a few searches, but these are the best matches I can find.
Thanks - I have managed to get my Mitel phone working on NPS. However I did this in a rather long winded fashion. I installed IAS on a Test domain controller running Windows 2003, checked that the Mitel Phone worked and then upgraded to Windows 2008.
I think this may have fixed the problem for one or both of the following reasons:-
1) As IAS was installed on a DC it was able to authenticate using just the short username i.e. 'mitelphone' rather than 'MYDOMAIN\mitelphone' (you cannot enter a backslash on a Mitel phone)
2) Although I ameded the registry to add back in MD5 there may have been other components missing that were retained in the process of upgrading 2003 to 2008. I noted that the technet article only mentioned Vista, which maded me wonder if this is a client side fix only?
James- Marked As Answer byGreg LindsayMSFT, OwnerSunday, September 21, 2008 7:08 PM
THANK YOU! I've been trying to get this working for about a week. We have a NPS server to control wireless and wired 802.1x. We recently got a mitel 3300 and a bunch of 5224 voip phones. How did you overcome AD account complex password policies with the AD account used to authenticate the phones? Also what abount case sensitivity for the password on the phones? Thanks again for posting your solution!
Mike- One other question. Have you tried mitel phones with 802.1x and gvrp? If so did you come accross any issues?
Mike Just an update to whoever reads this entry. I figured out the answers to my questions. It is possible to create a complex password that the phone can recognize.
On the network side GVRP does in fact work with phones using 802.1x. You do not need staticly assigned vlans. However if you are using lldp-med then the voip vlan will need to be static. At least on procurve switches anyway.
We also were able to use an AD account without the domain/username format on the phone, but our radius server is not on the domain controller. Although after many failed authentication attempts I looked at the radius logs and found that it was failing becuase the password for the account needs to be stored using reversable encryption. Just a checkbox in the account properties. I really wish mitel phones could use something a little more secure than md5.
One last thing of note. The phones can't do lowercase passwords so make sure that any dictionary characters in your password are in upper case.
Mike- Hi
I have a similar problem but with Nortel IP phones. I have read through all you replies and followed your steps which have worked but I still fail to get it working with NPS.
I have installed Windows 2003 server and setup IAS and got the phones working with MD5 and passing down the Cisco AV pair to put the phone into the VLAN specified by LLDP-MED. We also have EAP-TLS profiles working for Wired & Wireless Clients on there.
Once everything is working how I want it to I have upgraded the box to Windows 2008 and everything seems to be OK. The EAP-TLS is still working fine and all the settings for the MD5 are still there but when a IP phone tries to authenticate it fails and the phone enters the guest VLAN on the switch. I can see in the log file that the phone is trying to connect but I don't get any entries in the event viewer to say why it has failed. The weird thing is if I set a XP pc to authenticate using MD5 and enter the same credentials as the phone I works fine.
Any thoughts
Cheers
Paul - Hi
Can someone please post how they got the Mitel to use 802.1x via cisco switches to authenticate to windows IAS. Mainly the IAS configuration
Kind Regards
Mike
