locked
EAP-MD5 on Server2008 R2 RRS feed

  • Question

  • Goodafternoon everyone.

    Would anyone of you be able as to help me out on the following:

    I am trying to set up NPS with EAP-MD5 ( reason? well I got a crappy switch which only supports PAP and eap-md5..)
    I already added the registry entries on the server and MD5 is now visible on the server.
    I also added it to the windows 7 Ultimate test computer, so I can now selcect MD5.

    If I now look at the server I do see some traffice comming by but mine client isn't being authorized.
    First of all, I think..., is because it can't find a valid policy ( I will add the logging at the bottom of this post ).

    Setup: PKI, AD, NPS on the same server ( I know this is stupid and insecure but it should work, shouldn't it...).

    Now my biggest and enoying issue is:
    Why is my computer not being authorized if I log in with some AD credentials?
    PS.: I made it working with EAP-TLS with another radius client.

    I just want the authentication to be on the user account in AD ( no computer verification or whatsoever, unless required ).

    Hereby the logging:

    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			SERVICES\useraccount
    	Account Domain:			-
    	Fully Qualified Account Name:	-
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		-
    	Calling Station Identifier:		00-25-B3-71-03-04
    
    NAS:
    	NAS IPv4 Address:		192.168.11.3
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			-
    	NAS Port:			3
    
    RADIUS Client:
    	Client Friendly Name:		switch
    	Client IP Address:			192.168.11.3
    
    Authentication Details:
    	Connection Request Policy Name:	-
    	Network Policy Name:		-
    	Authentication Provider:		-
    	Authentication Server:		PRDITSDC01.services.domain.local
    	Authentication Type:		-
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			49
    	Reason:				The RADIUS request did not match any configured connection request policy (CRP).
    

    I also bolded the field in which I think I screwed up.
    Could it be possible that I am missing some settings on the server???

    Please heeeeeelp :-)


    Andre

    Wednesday, February 27, 2013 9:19 AM

Answers

  • Ok, fixed it.

    The issues is with the NPS...

    The NPS had an option in the network policies.
    In default it is set to Ethernet.

    Well I made it a bit easier so i said that it should allow all the request from the radius client ( switch ).
    So I selected: Client IPV4 address and entered the radius clients address.

    Did the same in Connection request policies and then 1 thing had to be done left.

    MD5 uses CHAP ( not bad but not prefered ).
    With CHAP enabled the users account in AD must have their passwords set to reversibly encrypted ( either via gpo or go to the properties of the user account and set the option: Store password using reversible encryption.

    Then you think, okay all done right? well no...
    This is the thing that kept me bussy until I read http://help.perle.com/?a=4&q=23
    It states that in order for the password to be reversible encrypted... the password must be changed now ( 1 time only ).

    Mark the following setence!
    I will never advise anybody to use this as the password is almost plain text ( reversible encrypted ).

    Stick with EAP-TLS much easier ( if you know PKI ) and much more secure.


    Andre

    • Marked as answer by dre2008 Wednesday, February 27, 2013 11:28 AM
    Wednesday, February 27, 2013 11:26 AM

All replies

  • Ok, fixed it.

    The issues is with the NPS...

    The NPS had an option in the network policies.
    In default it is set to Ethernet.

    Well I made it a bit easier so i said that it should allow all the request from the radius client ( switch ).
    So I selected: Client IPV4 address and entered the radius clients address.

    Did the same in Connection request policies and then 1 thing had to be done left.

    MD5 uses CHAP ( not bad but not prefered ).
    With CHAP enabled the users account in AD must have their passwords set to reversibly encrypted ( either via gpo or go to the properties of the user account and set the option: Store password using reversible encryption.

    Then you think, okay all done right? well no...
    This is the thing that kept me bussy until I read http://help.perle.com/?a=4&q=23
    It states that in order for the password to be reversible encrypted... the password must be changed now ( 1 time only ).

    Mark the following setence!
    I will never advise anybody to use this as the password is almost plain text ( reversible encrypted ).

    Stick with EAP-TLS much easier ( if you know PKI ) and much more secure.


    Andre

    • Marked as answer by dre2008 Wednesday, February 27, 2013 11:28 AM
    Wednesday, February 27, 2013 11:26 AM
  • Hi Andre,


    Thanks for your update and I am glad that you have got it working.


    Cheers!


    Jeremy Wu
    TechNet Community Support

    Thursday, February 28, 2013 8:46 AM