Saturday 25 June 2016

Enabling MD5-Challenge in WINDOWS


EAP-MD5 was removed from Windows because of its inherent lack of security.  However, the MD5 functionality still exists in RASCHAP dll. You can turn on MD5 with the following steps.

To re-enable EAP-MD5 support in versions of Windows, add the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4


Steps to Enable MD5-Challenge on WINDOWS
---------------------------------------------------------
  •    Go to run type regedit, inside that go the below location.
  •   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP
  •   Create a new key value 4.
  •   Create the 5 values as mentioned below.
       Value name: RolesSupported
       Value type: REG_DWORD
       Value data: 0000000a

       Value name: FriendlyName
       Value type: REG_SZ
       Value data: MD5-Challenge

       Value name: Path
       Value type: REG_EXPAND_SZ
       Value data: %SystemRoot%\System32\Raschap.dll


       Value name: InvokeUsernameDialog
       Value type: REG_DWORD
       Value data: 00000001


       Value name: InvokePasswordDialog
       Value type: REG_DWORD
       Value data: 00000001
  •   After creating the above entry go to run –type services
  •    In services look for Wired Auto Config and Wireless Auto config.
  •    Start the service or restart it if it is already started.
  •    Now go to any of the LAN adapter and select properties you see a Authentication tab.
  •    Enable dot1x on that Port and select MD5-Challenge.
  •   Once you enable Dot1x on your Switch/Router on a particular port, go to windows and check a pop will pop asking for user /password, provide the user /password to authenticate the port. 


Note: If using a VM open the VM with Console Access, Methods such as RDP did not work for me.
           I have verified the working with WIN 7 and WINDOWS Server 2008



Typical Use case: If we want to test WebAuth Combined with Dot1x and Mac-Auth , then dot1x
                              has to performed form windows so that after successful authentication or
                              no authentication  ,webauth can be performed by opening a web browser.

Note: This is pretty handy if your radius server does not support PEAP and EAP-MD5-Challenge
          has to be used. Simple Dot1x/MacAuth Can be performed via Spirent.
          But for combining WebAuth with Mac-Auth and Dot1x this proves vey useful.


2 comments:

  1. Thanks a lot Manish. It helped me a lot.

    ReplyDelete
  2. It shows MD5-challenge however does not prompt for a username and password

    ReplyDelete

Note: only a member of this blog may post a comment.