Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

By "secret sauce" do you mean that there might be a more secure option? If so, we'd definitely be interested in more details.

 

 

From: [mailto:] On Behalf Of Jeff Whitworth
Sent: Thursday, April 18, 2013 8:26 AM
To:
Subject: Re: [AD-Assurance] RE: Parking lot item: eduRoam passwords

 

Agreed. We've run into this issue with our eduRoam implementation as well. At some point we came across evidence explaining some secret sauce used if you are using Microsoft NPS for your radius server. We currently use an ipsec tunnel between freeRADIUS and two dedicated domain controllers instead. I'll be more than happy to dig up more info if needed.

Jeff

On Apr 18, 2013 11:05 AM, "Brian Arkills" <> wrote:

It strikes me that while not solely an AD issue, Radius/MS-CHAPv2 should go on the list for Dean to take to Microsoft as badly in need of attention.

 

From: [mailto:] On Behalf Of Coleman, Erik C
Sent: Thursday, April 18, 2013 7:09 AM
To:
Subject: [AD-Assurance] RE: Parking lot item: eduRoam passwords

 

For us this expands more-generally into “all things RADIUS-authenticated”, which besides our eduroam access, includes all of our 802.1X wireless and VPN services.  It so happens they tie in to AD for authentication directly via RADIUS/MS-CHAPv2, and in fact are the only things holding us up from disabling NTLMv1 completely.  Should this perhaps be generalized as an issue for any services that use AD via RADIUS/MS-CHAPv2?

 

--

Erik Coleman

University of Illinois at Urbana-Champaign

 

 

 

 

From: [] On Behalf Of Eric Goodman
Sent: Wednesday, April 17, 2013 8:05 PM
To:
Subject: [AD-Assurance] Parking lot item: eduRoam passwords

 

When this subgroup was initially being discussed, I asked a question about eduRoam services vis-à-vis Silver certified AD services.

 

It’s my understanding that the MS-CHAP password is one of the lower-strength password hashes (NTLMv1/Unsalted MD4 IIRC). If so, then any eduRoam-authenticated account would inherently be non-Silver certifiable.

 

This isn’t entirely an AD issue (hence “Parking Lot Item”), as it would hold true for any account whose password is hashed for use in eduRoam. But it’s another one of those examples of “things that you may break by configuring to meet Silver”. I guess if we (or the parent AD Cookbook project) make a recommendation that could break the eduRoam model, I think it would be nice to at least notify and perhaps meet with the eduRoam folks to discuss first.

 

And as usual, please feel free to correct me if my assumptions about the underlying encryption are incorrect.

 

--- Eric