PEAP and MSCHAPv2

  • 1
  • Question
  • Updated 3 years ago
Hi all, we're just getting in to standardizing on Ruckus as our wireless infrastructure and have run into a question regarding the use of PEAP and MSCHAPv2. Currently we have a corporate WLAN configured to use 802.1x EAP authentication with WPA2 encryption and specifying a RAIDUS authentication server. For that AAA server configuration in the ZD we've got the RADIUS server defined with CHAP auth method. We typically used PEAP/MSCHAPv2 (as we have configured in NPS on the RADIUS server's network policy) but you cannot connect to that WLAN unless the NPS network policy is configured to allow CHAP. Suffice to say that it would appear that CHAP is being used vice MSCHAPv2. Can anyone clarify the if MSCHAPv2 is usable and how we might go about it? It almost seems as though the ZD deployment is using a CHAP to forward the connection on to the RADIUS server which then perhaps uses PEAP and MSCHAPv2 between the client and server? Sounds a bit off base but as I mentioned, we are just getting used to Ruckus and dig it so far.

thanks!
Photo of Bobby Wittenberg

Bobby Wittenberg

  • 11 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Are you looking at the test option in the ZoneDirector to test the AAA server? if so that is a known issue with the ZoneDirector it only test simple authentication methods. You will need to test with a full computer to test PEAP+MSCHAPv2 functionality. I can confirm Ruckus works with PEAP+MSCHAPv2 for every device we have used iOS, Andorid, Windows, Mac, etc.
Photo of Bobby Wittenberg

Bobby Wittenberg

  • 11 Posts
  • 0 Reply Likes
Hey thanks for that confirmation Miko. Can you provide any recommendations on either your NPS network policy settings, the ZD or otherwise that might help us figure out why we are stuck using CHAP? We had to enable reversible encryption.
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
Here are the authentication policies that I use for the NPS server


Here are the client group policy settings


I should also mention that I saw there were option to specify authentication methods in the "Connection Request Policy" of the NPS server but that is all disabled and all authentication happens in the "Network Policies"

As for the reversible encryption it does not apply if you use MSCHAPv2 as you can see here. Also when I was getting into this I was confused originally and thought that if we don't use a strongly encrypted authentication protocol your password will just be flying through the air in clear text. As it turns out PEAP acts like HTTPS for wireless authentication so everything dealing with authentication is encrypted in an SSL tunnel. This means you can pass your password though in clear text and the PEAP tunnel will protect it. After that happens you WiFI encryption (WPA/WPA2) kicks in and protects everything else.
Photo of Bobby Wittenberg

Bobby Wittenberg

  • 11 Posts
  • 0 Reply Likes
Awesome, makes sense. Thanks for the input Miko, we will give that a try and see how it works out. I'll check back in with results.

thanks!
Photo of Bobby Wittenberg

Bobby Wittenberg

  • 11 Posts
  • 0 Reply Likes
I should also confirm, PEAP / MSCHAPv2 aren't actually configured anywhere on the ZD right? We don't seem to have them available as configurable option in our ZD interface.

Thanks!
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
That is correct. You only configure the Radius server then at that point the client talks directly to the Radius server. The ZoneDirector just acts as a relay.