Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [eap]

47 questions
5
votes
2 answers

pfSense - IKEv2 with EAP-RADIUS: Any fallback option if the RADIUS server is down?

I'm deploying an IKEv2 VPN authenticating against a RADIUS service within a pfSense 2.3-RELEASE box. But I'm afraid of the complications of this approach when the RADIUS server is down. Since the RADIUS is behind the pfSense box, in an event of a…
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
5
votes
2 answers

What should I use instead of MS-CHAP v2?

There's a new tool and service that makes it very easy to break MS-CHAP v2, which is used to secure VPNs. A good summary of the attach against MS-CHAP can be found at Ars Technica. Here's the way I currently have my VPN service running on Windows…
Knox
  • 2,453
  • 2
  • 26
  • 33
5
votes
3 answers

Troubleshooting Windows EAP/RADIUS connectivity issues

So, I guess the short version of the question is: I'm unable to get clients to connect to an enterprise-WPA wireless network after setting up a "new" NPS server and a new CA. After I manually request a new cert on my client from the NPS/CA server…
HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
3
votes
0 answers

JBoss EAP 6.2 high availability without HTTP server

i'm looking for some solution to make a Jboss Cluster ( 2 nodes ) in H.A. ( 1 live, 1 backup) but i don't want to use a third element ( machine, service or whatever ). Most configuration I found uses N nodes and 1 http server as dispatcher, but what…
Stefano R.
  • 141
  • 2
3
votes
1 answer

Why does Windows CA Server issue multiple certificates for the same user?

I am currently implementing an EAP/TLS WIFI implementation to replace our EAP/MSCHAP2 wifi implementation. I am using Windows Server 2008 and I've installed a certificate authority. User certificates are pushed using group policy. A wireless network…
gerwout
  • 33
  • 4
3
votes
1 answer

Is using EAP-MD5 in strongSwan a security risk?

Quoting Wikipedia: It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise However, Wikipedia discusses…
reish
  • 374
  • 1
  • 4
  • 12
3
votes
1 answer

Auth-Type :- Reject in RADIUS users file matches inner tunnel request but sends Access-Accept

I have WPA2 802.11x EAP authentication setup using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 talking to OpenLDAP, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to…
mgorven
  • 30,036
  • 7
  • 76
  • 121
3
votes
2 answers

EAP / MSCHAPv2 authentications fails (only) on Windows with custom authenticator

I have a project that involves custom client authentication for the StrongSwan IKEv2 server implementation on Linux. I am running: StrongSwan 5.4.0 with eap-radius plugin Currently, we use FreeRadius to speak EAP-MSCHAPv2 with various client…
Domokun
  • 31
  • 5
2
votes
0 answers

Wired 802.1x on Windows 10 1803 isn't utilizing cache

So I’ve been trying to resolve 802.1x Wired authentication issues for quite some time now with limited success. The environment is based on Server 2012, Enterasys NAC using EAP-TLS1.2, with a relatively simple PKI infrastructure. We are running…
Joshua Scott
  • 19
  • 2
2
votes
0 answers

Run DHCP only after wpa_supplicant has connected (wired 802.1x)

I have a network here that uses 802.1x on the wired network to authenticate for greater privilege, BUT without (or "before") auth will place the machine in a default/quarantine network. For good luck, that default network answers DHCP, and once you…
Jim
  • 121
  • 2
2
votes
1 answer

How to store hashes in ipsec.secrets when using Strongswan with eap-mschapv2?

I am using eap-mschapv2 as an authentication method. It requires to store plain text passwords in ipsec.secrets. I.e. I have a password like this: user : EAP "mypassword" I want to use something like this: user : EAP…
Oleksandr
  • 703
  • 2
  • 10
  • 17
2
votes
1 answer

Freeradius VLAN assignment with EAP-TLS and WiFi 802.1x

I'm using FreeRadius with a Ubitquiti WiFi AP with 802.1x auth using EAP-TLS (mutual client/server cert based auth). This is working well for static VLANs (i.e. specified on the AP). I'd like to offload the VLAN assignment to Radius so that…
user397220
  • 71
  • 1
  • 6
2
votes
1 answer

EAP-TLS for Wireless with Active Directory

My question is more from a conceptual point of view, rather than implementation (even though I'm asking about proprietary protocols and products). Assuming I have users and credentials set up in my Active Directory. Users can log in to their…
AndreCruz
  • 71
  • 4
1
vote
1 answer

WPA2 Enterprise: no risks for preconfigured clients when it comes to Rogue APs?

We are using, as default, PEAP and MS-CHAPv2 as inner authentication. I was concerned with security risks when it comes to rogue APs but a colleague told me that there are no risks for preconfigured clients. He told me there are risks only for…
Jade Kush
  • 11
  • 2
1
vote
0 answers

FreeRADIUS default vs. inner-tunnel sites and EAP-TLS workflow

I am trying to setup EAP-TLS with FreeRADIUS and an IPA backend. I understand that a typical workflow is to authorize the user against LDAP first and then to authenticate the user using a certificate. Is this workflow typical or correct? I also…
user3814483
  • 183
  • 9
1
2 3 4