This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MSCHAPv2 + Internal Radius + External LDAP without TLS / SSL certificates possible?

MSCHAPv2 + Internal Radius + External LDAP without TLS / SSL certificates possible?

Tiago_Juliano_F
New Contributor

‎03-26-2018 12:35 PM

MSCHAPv2 + Internal Radius + External LDAP without TLS / SSL certificates possible? Can I implement an environment with RFS6000 without using any type of certificate? I made all How TO settings but except the trustpoint part. Is there a way to bypass trustpoint and still have MSCHAP on wlan working?
0 Kudos
5 REPLIES 5

Tiago_Juliano_F
New Contributor

‎03-26-2018 05:20 PM

So I would really like to do the authentication in the simplest possible way to get around some issues that affect the WLAN of the school where I work. Subsequently, I intend to look for Extreme partners to make a deployment in the best practices.

I followed official documentation to make the settings, the controller is a member of AD, the Radius service is running but I can not authenticate any clients.

So I thought it was because I did not set up any certificate for the internal Radius server.
0 Kudos

Ondrej_Lepa
Extreme Employee
In response to Tiago_Juliano_F

‎03-26-2018 05:20 PM

Tiago,

I'd recommend to check i.e. CWSP study guide and decide for the best authentication method for your school.

Personally, I'd rely on PEAP-MSCHAPv2 with certificate validation as I believe you use ActiveDirectory and the school definitely has a public website covered with a wildcard certificate. You could merge it then.

However, if you are not familiar with PKI or (wireless) network design, I appreciate your decision of contacting Extreme Partners.

See this article: How can I search for a partner in my area?

Regards,
Ondrej
0 Kudos

Timo1
New Contributor II

‎03-26-2018 01:54 PM

Hi Tiago,

PEAP always need a certificate! But you can use the self sign internal certificate. But I'll NOT recommend to disable "validate server certificate". It's better to distribute the self sign to your clients as valid certificate.

If you not check the server certificate, a 3rd person can very easy force the user to connect to it's SSID and collect user name and password hash. With hashcat you can encrypt the password and have a working LDAP user. Worst case!

Make sure to use a certificate that you trust, on what way ever. Distribute a self sign and trust or use a public or internal PKI.
0 Kudos

Christopher_Fra
Extreme Employee

‎03-26-2018 01:24 PM

Hello Tiago,
802.1X has different flavors/method for authentication. Certificates are not required with some 802.1X deployments and most deployments not using certificates implement PEAP/MSCHAPv2. You must ensure that when configuring the wireless client wireless profile via the wireless client supplicant, ensure 'validate server certificate' is disabled, otherwise client authentication will fail.

Regards,
Chris
0 Kudos
GTM-P2G8KFN