This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

Go to solution
DominicS
New Contributor

‎03-05-2022 10:36 AM

Hi guys

I am absolutely new to Extreme XMC / XIQ and this community. I have a working RADIUS management policy on XMC / XIQ / Control for different network access devices (NAD): Cisco WLCs, Extreme VSPs / VOSS / EXOS...

Now I "try" to implement a LDAP based management access to SLX-OS and get it to work with "protocol pap", which uses cleartext password. But I would like to use "peap / mschap" or at least chap to authenticate against the LDAP (active directory). But I always get the following error:

Rejected management login to switch 1.2.3.4, User: xyz, due to: chap: &control:Cleartext-Password is required for authentication

I already changed the LDAP/S configuration from "LDAP Bind" to "NTLM authentication".

Could you please help my out with a good hint, what I am missing or doing wrong. If you need more information, I absolutely can provide it to you.

Thanks in advance and best regards
Dominic
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ryan_Yacobucci
Extreme Employee

‎03-08-2022 09:20 AM

Hello,

I think this will work if the credential is stored on NAC in the local password repository. With MsChapv2 that we use for 802.1x authentication the challenge hash must be sync'd between AD and the NAC, that was the client uses the same challenge hash for the username/password that the AD does. 

With Chap I don't think there is a mechanism to sync these hashes from AD to NAC, which is why we need the clear-text password at the NAC to use it with the challenge hash supplied by AD.

Which protocols have you tried at this point?

If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?

test_wbinfo -s /opt/nac/radius/raddb/smb.* -t

Thanks
-Ryan

View solution in original post

1 REPLY 1

Go to solution
Ryan_Yacobucci
Extreme Employee

‎03-08-2022 09:20 AM

Hello,

I think this will work if the credential is stored on NAC in the local password repository. With MsChapv2 that we use for 802.1x authentication the challenge hash must be sync'd between AD and the NAC, that was the client uses the same challenge hash for the username/password that the AD does. 

With Chap I don't think there is a mechanism to sync these hashes from AD to NAC, which is why we need the clear-text password at the NAC to use it with the challenge hash supplied by AD.

Which protocols have you tried at this point?

If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?

test_wbinfo -s /opt/nac/radius/raddb/smb.* -t

Thanks
-Ryan

GTM-P2G8KFN