cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

DominicS
New Contributor
Hi guys

I am absolutely new to Extreme XMC / XIQ and this community. I have a working RADIUS management policy on XMC / XIQ / Control for different network access devices (NAD): Cisco WLCs, Extreme VSPs / VOSS / EXOS...

Now I "try" to implement a LDAP based management access to SLX-OS and get it to work with "protocol pap", which uses cleartext password. But I would like to use "peap / mschap" or at least chap to authenticate against the LDAP (active directory). But I always get the following error:

Rejected management login to switch 1.2.3.4, User: xyz, due to: chap: &control:Cleartext-Password is required for authentication

I already changed the LDAP/S configuration from "LDAP Bind" to "NTLM authentication".

Could you please help my out with a good hint, what I am missing or doing wrong. If you need more information, I absolutely can provide it to you.

Thanks in advance and best regards
Dominic
1 ACCEPTED SOLUTION

Ryan_Yacobucci
Extreme Employee

Hello,

I think this will work if the credential is stored on NAC in the local password repository. With MsChapv2 that we use for 802.1x authentication the challenge hash must be sync'd between AD and the NAC, that was the client uses the same challenge hash for the username/password that the AD does. 

With Chap I don't think there is a mechanism to sync these hashes from AD to NAC, which is why we need the clear-text password at the NAC to use it with the challenge hash supplied by AD.

Which protocols have you tried at this point?

If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?

test_wbinfo -s /opt/nac/radius/raddb/smb.* -t

Thanks
-Ryan

View solution in original post

1 REPLY 1

Ryan_Yacobucci
Extreme Employee

Hello,

I think this will work if the credential is stored on NAC in the local password repository. With MsChapv2 that we use for 802.1x authentication the challenge hash must be sync'd between AD and the NAC, that was the client uses the same challenge hash for the username/password that the AD does. 

With Chap I don't think there is a mechanism to sync these hashes from AD to NAC, which is why we need the clear-text password at the NAC to use it with the challenge hash supplied by AD.

Which protocols have you tried at this point?

If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?

test_wbinfo -s /opt/nac/radius/raddb/smb.* -t

Thanks
-Ryan

GTM-P2G8KFN