ad-assurance - Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Jeff Whitworth <>
- To:
- Subject: Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords
- Date: Thu, 18 Apr 2013 11:25:51 -0400
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Agreed. We've run into this issue with our eduRoam implementation as well. At some point we came across evidence explaining some secret sauce used if you are using Microsoft NPS for your radius server. We currently use an ipsec tunnel between freeRADIUS and two dedicated domain controllers instead. I'll be more than happy to dig up more info if needed.
Jeff
It strikes me that while not solely an AD issue, Radius/MS-CHAPv2 should go on the list for Dean to take to Microsoft as badly in need of attention.
From: [mailto:] On Behalf Of Coleman, Erik C
Sent: Thursday, April 18, 2013 7:09 AM
To:
Subject: [AD-Assurance] RE: Parking lot item: eduRoam passwords
For us this expands more-generally into “all things RADIUS-authenticated”, which besides our eduroam access, includes all of our 802.1X wireless and VPN services. It so happens they tie in to AD for authentication directly via RADIUS/MS-CHAPv2, and in fact are the only things holding us up from disabling NTLMv1 completely. Should this perhaps be generalized as an issue for any services that use AD via RADIUS/MS-CHAPv2?
--
Erik Coleman
University of Illinois at Urbana-Champaign
From: [] On Behalf Of Eric Goodman
Sent: Wednesday, April 17, 2013 8:05 PM
To:
Subject: [AD-Assurance] Parking lot item: eduRoam passwords
When this subgroup was initially being discussed, I asked a question about eduRoam services vis-à-vis Silver certified AD services.
It’s my understanding that the MS-CHAP password is one of the lower-strength password hashes (NTLMv1/Unsalted MD4 IIRC). If so, then any eduRoam-authenticated account would inherently be non-Silver certifiable.
This isn’t entirely an AD issue (hence “Parking Lot Item”), as it would hold true for any account whose password is hashed for use in eduRoam. But it’s another one of those examples of “things that you may break by configuring to meet Silver”. I guess if we (or the parent AD Cookbook project) make a recommendation that could break the eduRoam model, I think it would be nice to at least notify and perhaps meet with the eduRoam folks to discuss first.
And as usual, please feel free to correct me if my assumptions about the underlying encryption are incorrect.
--- Eric
- [AD-Assurance] Parking lot item: eduRoam passwords, Eric Goodman, 04/17/2013
- [AD-Assurance] RE: Parking lot item: eduRoam passwords, Coleman, Erik C, 04/18/2013
- [AD-Assurance] RE: Parking lot item: eduRoam passwords, Brian Arkills, 04/18/2013
- Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Jeff Whitworth, 04/18/2013
- RE: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Brian Arkills, 04/18/2013
- Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Jeff Whitworth, 04/18/2013
- RE: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Eric Goodman, 04/18/2013
- Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Jeff Whitworth, 04/18/2013
- RE: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Brian Arkills, 04/18/2013
- Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords, Jeff Whitworth, 04/18/2013
- [AD-Assurance] RE: Parking lot item: eduRoam passwords, Brian Arkills, 04/18/2013
- [AD-Assurance] RE: Parking lot item: eduRoam passwords, Coleman, Erik C, 04/18/2013
Archive powered by MHonArc 2.6.16.