Header Only - DO NOT REMOVE - Extreme Networks

MSCHAPv2 + Internal Radius + External LDAP without TLS / SSL certificates possible?


MSCHAPv2 + Internal Radius + External LDAP without TLS / SSL certificates possible? Can I implement an environment with RFS6000 without using any type of certificate? I made all How TO settings but except the trustpoint part. Is there a way to bypass trustpoint and still have MSCHAP on wlan working?

5 replies

Userlevel 6
Hi Tiago,

it is pretty much possible - see this article

How to set internal RADIUS server on WiNG with LDAP based authentication?

However, you will not have a trusted certificate and some client devices requiring Server certificate validation may throw a security alarm.

Regards,
Ondrej
Userlevel 4
Hello Tiago,
802.1X has different flavors/method for authentication. Certificates are not required with some 802.1X deployments and most deployments not using certificates implement PEAP/MSCHAPv2. You must ensure that when configuring the wireless client wireless profile via the wireless client supplicant, ensure 'validate server certificate' is disabled, otherwise client authentication will fail.

Regards,
Chris
Userlevel 4
Hi Tiago,

PEAP always need a certificate! But you can use the self sign internal certificate. But I'll NOT recommend to disable "validate server certificate". It's better to distribute the self sign to your clients as valid certificate.

If you not check the server certificate, a 3rd person can very easy force the user to connect to it's SSID and collect user name and password hash. With hashcat you can encrypt the password and have a working LDAP user. Worst case!

Make sure to use a certificate that you trust, on what way ever. Distribute a self sign and trust or use a public or internal PKI.
So I would really like to do the authentication in the simplest possible way to get around some issues that affect the WLAN of the school where I work. Subsequently, I intend to look for Extreme partners to make a deployment in the best practices.

I followed official documentation to make the settings, the controller is a member of AD, the Radius service is running but I can not authenticate any clients.

So I thought it was because I did not set up any certificate for the internal Radius server.
Userlevel 6
Tiago Juliano Ferreira wrote:

So I would really like to do the authentication in the simplest possible way to get around some issues that affect the WLAN of the school where I work. Subsequently, I intend to look for Extreme partners to make a deployment in the best practices.

I followed official documentation to make the settings, the controller is a member of AD, the Radius service is running but I can not authenticate any clients.

So I thought it was because I did not set up any certificate for the internal Radius server.

Tiago,

I'd recommend to check i.e. CWSP study guide and decide for the best authentication method for your school.

Personally, I'd rely on PEAP-MSCHAPv2 with certificate validation as I believe you use ActiveDirectory and the school definitely has a public website covered with a wildcard certificate. You could merge it then.

However, if you are not familiar with PKI or (wireless) network design, I appreciate your decision of contacting Extreme Partners.

See this article: How can I search for a partner in my area?

Regards,
Ondrej

Reply