{"id":2171,"date":"2015-11-10T23:19:31","date_gmt":"2015-11-10T21:19:31","guid":{"rendered":"http:\/\/www.windows-infrastructure.de\/?p=2171"},"modified":"2021-03-06T18:08:59","modified_gmt":"2021-03-06T16:08:59","slug":"enable-eap-md5-in-windows-nps","status":"publish","type":"post","link":"http:\/\/www.windows-infrastructure.de\/enable-eap-md5-in-windows-nps\/","title":{"rendered":"enable EAP-MD5 in Windows NPS"},"content":{"rendered":"
For enabling wired MAC bypass on Cisco switches there are two commands\u00a0available.<\/p>\n
Although PAP authentication has been configured by the switch as well as authentication method in Microsoft NPS Server, authentication does not work.\u00a0The NPS logs showing\u00a0rejects for the reason of a not configured protocol type; EAP with type MD5. Sniffing with\u00a0Network Monitor confirmed\u00a0Cisco\u00a0requests EAP communication.<\/p>\n<\/span>\n Some researches brought me to the following statement:<\/p>\n In this release, the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.<\/em> http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/switches\/lan\/catalyst2960x\/software\/15-0_2_EX\/security\/configuration_guide\/b_sec_152ex_2960-x_cg\/b_sec_152ex_2960-x_cg_chapter_010000.html<\/a><\/span><\/p>\n <\/span><\/span><\/p>\n In current NPS implementation EAP-MD5 cannot be chosen for authentication.<\/p>\n <\/p>\n <\/span><\/span><\/p>\n MD5 Challenge is being deprecated and no\u00a0longer supported\u00a0since Windows Server\u00a02008\/Vista. It can be re-enabled by modifying the registry on the NPS Server, but without any support!<\/p>\n <\/p>\n <\/p>\n registry import<\/p>\n when values are set, restart the NPS Service<\/p>\n <\/p>\n<\/span>\n NPS log<\/p>\n Log Name:\u00a0\u00a0\u00a0\u00a0\u00a0 Security<\/span> Authentication Details:<\/span> \u00a0<\/span><\/p>\n <\/span><\/span><\/p>\n Windows Server 2012R2<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" For enabling wired MAC bypass on Cisco switches there are two commands\u00a0available. dot1x mac-auth-bypass\u00a0— the Access-Request message is a Password Authentication Protocol (PAP) authentication request dot1x mac-auth-bypass eap — the Cisco switch perform MAB as EAP-MD5 authentication Although PAP authentication… Weiterlesen
\n<\/span><\/p>\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RasMan\\PPP\\EAP\\4]\r\n\"RolesSupported\"=dword:0000000a\r\n\"FriendlyName\"=\"MD5-Challenge\"\r\n\"Path\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\\\r\n 00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\\\r\n 61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00\r\n\"InvokeUsernameDialog\"=dword:00000001\r\n\"InvokePasswordDialog\"=dword:00000001\r\n\r\n<\/pre>\n<\/span>\n
\nSource:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Microsoft-Windows-Security-Auditing<\/span>
\nEvent ID:\u00a0\u00a0\u00a0\u00a0\u00a0 6278<\/span>
\nTask Category: Network Policy Server<\/span>
\nLevel:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information<\/span>
\nKeywords:\u00a0\u00a0\u00a0\u00a0\u00a0 Audit Success<\/span>
\nUser:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 N\/A<\/span>
\nNetwork Policy Server granted full access to a user because the host met the defined health policy.<\/span><\/p>\n
\nAuthentication Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EAP<\/span>
\nEAP Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MD5-Challenge\u00a0\u00a0\u00a0 <\/span><\/p>\n