MS-CHAP on Ubiquiti EdgeRouter
-
Asking this on behalf of someone, figured there would be more visibility and experience here. Especially if @JaredBusch is watching.
"Firmware is at 1.9.0.
I have set up this router as a RADIUS client and everything works great, it authenticates users through Windows AD. I want to to also manage this router using my Active Directory credentials. I don't have a problem setting this up and i am able to do it; however, when using a network policy to allow only certain members access to the router management i have to set the authentication to PAP or it wont work! This seems like a security issue that i would like to avoid.
Has anyone dealt with this came up with a way to enable chap, mschap, or mschap-v2?"
-
@scottalanmiller said in MS-CHAP on Ubiquiti EdgeRouter:
Asking this on behalf of someone, figured there would be more visibility and experience here. Especially if @JaredBusch is watching.
Sorry, can't help here. From what I understand, he's using Microsofts RADIUS server, which is built into NPS. I had some issues lately and switched from NAP to FreeRADIUS, so my my approach would be to let FreeRadius auth against AD and EdgeRouter against FreeRADIUS.
-
So he's created the RAP in IAS, added the AD user group, edited the profile to select MS-CHAP and the users fail to authenticate? Weird. I've never tried it on an EdgeRouter. Has he successfully authenticated users this way with other device types?
-
Sounds like an issue with the setup of the RADIUS - have a poke through the NPS and make sure the policies are all setup correctly.
Also check error log to see if you can verify or refute my suspected issue
-
I have not had anyone desire this level of connection in their ERL, so I have no direct experience.
-
@scottalanmiller is correct. I have Edgerouter 2.0.9 and it STILL requires PAP in the Windows policy. Under Config Tree, there is no way to make the router use MSCHAP or MSCHAPv2 instead of PAP (cleartext). I went to notify Ubiquiti hoping they can potentially have this included in another firmware release soon, but Ubiquiti Support was apprised of this 5 years ago! https://community.ui.com/questions/Encrypted-Radius-Supported/7857b119-91d8-4365-8c2a-8c21de0937a4
-
@bransona said in MS-CHAP on Ubiquiti EdgeRouter:
@scottalanmiller is correct. I have Edgerouter 2.0.9 and it STILL requires PAP in the Windows policy. Under Config Tree, there is no way to make the router use MSCHAP or MSCHAPv2 instead of PAP (cleartext). I went to notify Ubiquiti hoping they can potentially have this included in another firmware release soon, but Ubiquiti Support was apprised of this 5 years ago! https://community.ui.com/questions/Encrypted-Radius-Supported/7857b119-91d8-4365-8c2a-8c21de0937a4
Yup it has been a big issue for a while now on the EdgeSwitches too.
