none
NPS & EAP-MD5 RRS feed

  • Question

  • Hi there,

    We are currently working on the deployment of 802.1x enterprise-wide.  Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.

    When we tested it prior, we were running Windows 2003 + IAS.  The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable.  We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.

    I've just finished setting that up, and it works perfect.  We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers).  We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work.  After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008.  They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.

    My question is, has anyone else ran into this problem?  If so, how did you go about fixing it.  Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches.  I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.

    Thanks!

    Warren 
    Monday, August 11, 2008 6:11 PM

Answers

  • EAP-MD5 was removed from Windows 2008 because of its inherent lack of security.  However, the MD5 functionality still exists in the RASCHAP dll.  You can turn on MD5 with the following registry keys:

    To re-enable EAP-MD5 support in versions of Windows Vista, add the following registry entries:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4

    Value name: RolesSupported
    Value type: REG_DWORD
    Value data: 0000000a

    Value name: FriendlyName
    Value type: REG_SZ
    Value data: MD5-Challenge

    Value name: Path
    Value type: REG_EXPAND_SZ
    Value data: %SystemRoot%\System32\Raschap.dll

    Value name: InvokeUsernameDialog
    Value type: REG_DWORD
    Value data: 00000001

    Value name: InvokePasswordDialog
    Value type: REG_DWORD
    Value data: 00000001

    For more information about our removal of MD5 from Vista and NPS, see KB922574
    http://support.microsoft.com/kb/922574/en-us

    Clay Seymour - MSFT
    Thursday, September 4, 2008 2:23 PM
  • I have managed to get my Mitel phone working on NPS.  However I did this in a rather long winded fashion.  I installed IAS on a Test domain controller running Windows 2003, checked that the Mitel Phone worked and then upgraded to Windows 2008.

    I think this may have fixed the problem for one or both of the following reasons:-

    1) As IAS was installed on a DC it was able to authenticate using just the short username i.e. 'mitelphone' rather than 'MYDOMAIN\mitelphone' (you cannot enter a backslash on a Mitel phone)
    2) Although I ameded the registry to add back in MD5 there may have been other components missing that were retained in the process of upgrading 2003 to 2008.  I noted that the technet article only mentioned Vista, which maded me wonder if this is a client side fix only?

    James
    Friday, September 12, 2008 1:03 PM

All replies

  • Hi

    This post has shed some light on why my Mitel 5220 handsets are not working with NPS.  I do not understand why they would have removed this as an option.  I guess I am going to have to some how proxy these IP Phones to another radius server instead.  Any other solutions would be greatly appreciated.

    I am working on a project that will involve two organizations sharing the same physical LAN and NPS seems like a good fit as it will let me authenticate users and computers from both organizations Active Directories something I could never get the Cisco ACS to do.  As you indicated I had also discounted the 2003 IAS Radius because of security concerns.

    James

    Wednesday, September 3, 2008 2:24 PM
  • EAP-MD5 was removed from Windows 2008 because of its inherent lack of security.  However, the MD5 functionality still exists in the RASCHAP dll.  You can turn on MD5 with the following registry keys:

    To re-enable EAP-MD5 support in versions of Windows Vista, add the following registry entries:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4

    Value name: RolesSupported
    Value type: REG_DWORD
    Value data: 0000000a

    Value name: FriendlyName
    Value type: REG_SZ
    Value data: MD5-Challenge

    Value name: Path
    Value type: REG_EXPAND_SZ
    Value data: %SystemRoot%\System32\Raschap.dll

    Value name: InvokeUsernameDialog
    Value type: REG_DWORD
    Value data: 00000001

    Value name: InvokePasswordDialog
    Value type: REG_DWORD
    Value data: 00000001

    For more information about our removal of MD5 from Vista and NPS, see KB922574
    http://support.microsoft.com/kb/922574/en-us

    Clay Seymour - MSFT
    Thursday, September 4, 2008 2:23 PM
  • Thanks for the reply, I have now enabled MD5 authentication.  I am now struggling to see how to setup the Mitel IP Phone, most of the NPS options seem to focus on Windows clients.  I have setup a Network Policy called 'IP Phone' within NPS using the MD5 challenge EAP Type.  I have set the attributes 64, 65 and 81 plus the vendor specific Cisco-AV-Pair to device-traffic-class=voice.  On the conditions tab I have selected Domain users and created a windows user for the phone to use.  However it does not seem to work.  I think I must be doing something fundamentally wrong.  I have had these Mitel phones working with Cisco ACS so I think I have setup NPS in the same manner.

    Any help would be greatly appreciated.

    Thanks James
    Thursday, September 11, 2008 9:32 AM
  • Some further information
     

    The following document details a RADIUS solution using Mitel IP Phones and MS IAS server.  However it doesn’t go into the technical detail of how to configure IAS for Mitel Phones.

     

    http://h40060.www4.hp.com/procurve/uk/en/pdfs/alliance/ProCurveandMitelconvergencebrief_Jul_07_EMEA_Eng_A4.pdf


    This document details the technical configuration of IAS server to support Avaya IP Phones.

     

    http://www.avaya.co.uk/emea/en-us/resource/assets/applicationnotes/extreme-dot1x01.pdf

     

    I really need a document that details how to configure IAS (Windows 2003) or NPS (Windows 2008) to support Mitel IP Phones.  I have done quite a few searches, but these are the best matches I can find.

    Thanks

    Thursday, September 11, 2008 1:38 PM
  • I have managed to get my Mitel phone working on NPS.  However I did this in a rather long winded fashion.  I installed IAS on a Test domain controller running Windows 2003, checked that the Mitel Phone worked and then upgraded to Windows 2008.

    I think this may have fixed the problem for one or both of the following reasons:-

    1) As IAS was installed on a DC it was able to authenticate using just the short username i.e. 'mitelphone' rather than 'MYDOMAIN\mitelphone' (you cannot enter a backslash on a Mitel phone)
    2) Although I ameded the registry to add back in MD5 there may have been other components missing that were retained in the process of upgrading 2003 to 2008.  I noted that the technet article only mentioned Vista, which maded me wonder if this is a client side fix only?

    James
    Friday, September 12, 2008 1:03 PM
  • THANK YOU! I've been trying to get this working for about a week. We have a NPS server to control wireless and wired 802.1x. We recently got a mitel 3300 and a bunch of 5224 voip phones. How did you overcome AD account complex password policies with the AD account used to authenticate the phones? Also what abount case sensitivity for the password on the phones? Thanks again for posting your solution!


    Mike
    Wednesday, October 29, 2008 2:40 PM
  • One other question. Have you tried mitel phones with 802.1x and gvrp? If so did you come accross any issues?
    Mike
    Wednesday, October 29, 2008 3:30 PM
  • Just an update to whoever reads this entry. I figured out the answers to my questions. It is possible to create a complex password that the phone can recognize.

    On the network side GVRP does in fact work with phones using 802.1x. You do not need staticly assigned vlans. However if you are using lldp-med then the voip vlan will need to be static. At least on procurve switches anyway.

    We also were able to use an AD account without the domain/username format on the phone, but our radius server is not on the domain controller. Although after many failed authentication attempts I looked at the radius logs and found that it was failing becuase the password for the account needs to be stored using reversable encryption. Just a checkbox in the account properties. I really wish mitel phones could use something a little more secure than md5.

    One last thing of note. The phones can't do lowercase passwords so make sure that any dictionary characters in your password are in upper case.


    Mike
    Thursday, October 30, 2008 12:47 PM
  • Hi

    I have a similar problem but with Nortel IP phones. I have read through all you replies and followed your steps which have worked but I still fail to get it working with NPS.

    I have installed Windows 2003 server and setup IAS and got the phones working with MD5 and passing down the Cisco AV pair to put the phone into the VLAN specified by LLDP-MED. We also have EAP-TLS profiles working for Wired & Wireless Clients on there.

    Once everything is working how I want it to I have upgraded the box to Windows 2008 and everything seems to be OK. The EAP-TLS is still working fine and all the settings for the MD5 are still there but when a IP phone tries to authenticate it fails and the phone enters the guest VLAN on the switch. I can see in the log file that the phone is trying to connect but I don't get any entries in the event viewer to say why it has failed. The weird thing is if I set a XP pc to authenticate using MD5 and enter the same credentials as the phone I works fine.

    Any thoughts

    Cheers

    Paul
    Tuesday, May 12, 2009 9:27 AM
  • Hi

    Can someone please post how they got the Mitel to use 802.1x via cisco switches to authenticate to windows IAS. Mainly the IAS configuration

    Kind Regards
    Mike
    Thursday, October 29, 2009 3:24 PM
  • I am replying to this as I just went through this issue with Mitel Phones and Windows Server 2008 R2. There was one thing missing from this that would not allow me to get my phones to connect.

    I am running Windows Server 2008 R2 and a Mitel 5000 Phone system with HP Switches

    After installing this system the client wanted Radius Authentication setup. I didn't think much of it at the time until I began the process and found that the Mitel phones only support MD5 authentication, not Microsoft PEAP and that Server 2008 R2 does not support MD5 anymore. With the help of this Post I was able to get MD5 re-enabled but I was still unable to get my phones to authenticate. I was not getting anything in my logs to tell me as to why they were failing they just would not connect. After searching the internet I was still lost as to why this was happening until I began some more troubleshooting. I found that the registry hack for MD5 is not the only thing that needs to be done. You also have to have some account settings updated.

    First, you will need to goto the account in AD that you are using to authenticate and goto the Properties. You will want to check the "Store password using reversible encryption" box. You then MUST change the password (You can use the same password you just have to go through this process).

    Second, you have to go into Group Policy under Computer Configuration --> Windows Settings --> Security Settings --> Account Policies --> Password Policy and enable "Store passwords using reversible encryption". You then MUST preform a "gpupdate /force" After making these 2 changes your phones should connect upto the server without a problem.

    Friday, January 21, 2011 7:56 PM
  • Hi PCGUY1184,

    I am trying to get Mitel phones working with 802.1X, I have enabled MD5 and made the other changes you propose but its still not working. The event log is showing eventid 6274

    Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   NULL SID
     Account Name:   Mitel8021X
     Account Domain:   #Domain Removed#
     Fully Qualified Account Name: #Domain Removed#\Mitel8021X

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  -
     Calling Station Identifier:  08-00-0F-5D-87-1A

    NAS:
     NAS IPv4 Address:  192.168.202.1
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Ethernet
     NAS Port:   11

    RADIUS Client:
     Client Friendly Name:  Nortel5520
     Client IP Address:   192.168.202.1

    Authentication Details:
     Connection Request Policy Name: Secure Wired Connections
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  #NPS Server FQDN# 
     Authentication Type:  -
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   1
     Reason:    An internal error occurred. Check the system event log for additional information.

    Did you come accross this problem? I saw a hotfix available for 2008R2 for EAP-MD5 where the name field is empty however the hotfix wont install as I believe I already have a newer version of raschap.dll

    Regards,


    Craig

    • Edited by cscott99 Wednesday, September 12, 2012 10:41 AM
    Wednesday, September 12, 2012 10:40 AM
  • Hello I have the seem problem with the deployement of NPS solution on our network.

    We use 802.1X for the computers in our Active Directory Domain but for redundance we wished to enable MAC authentication. The Radius clients are "juniper ex4200" who use EAP by MD5 to authenticate the computers with their MAC addresses. I added in the registry all entries and after the creation of all mac addresses in our AD and the reversible encryption enabled everything works.

    The problem that we have : after 3 days or more the NPS server is no longer able to verify the correspondence between the authenticating message (with MAC address in MD5) and our LDAP directory information. We are therefore forced to restart the server 1 or 2 time by week.

    Do you have the same problem? Do you see any other solution?

    Thank you


    D.W.D

    Friday, September 14, 2012 12:43 PM
  • I am also receiving "An internal error occurred. Check the system event log for additional information." Anyone find a resolution for this?
    Friday, April 11, 2014 10:35 PM
  • Hi All,

    Understand this is an old post. But how can we enable MD5-Challenge on NPS for Windows 2016? I have tried all version of windows 2016, 2012, 2008 and this registry trick doesnt work.

    Even copying raschap.dll from Server 2003 to Server 2016 didnt work as well.

    Really need this to be working asap as customer network devices only supports MD5 on MAC-Bypass.

    Thank you and hope someone can help.

    Cheers!

    Friday, June 19, 2020 7:09 PM