EAP-MD5 was removed from Windows because of its
inherent lack of security. However, the MD5 functionality still exists in
RASCHAP dll. You can turn on MD5 with the following steps.
To re-enable EAP-MD5 support in versions of Windows, add the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4
Steps to Enable MD5-Challenge on WINDOWS
---------------------------------------------------------
- Go to run type regedit, inside that go the below location.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP
- Create a new key value 4.
- Create the 5 values as mentioned below.
Value name: RolesSupported
Value type: REG_DWORD
Value data: 0000000a
Value name: FriendlyName
Value type: REG_SZ
Value data: MD5-Challenge
Value name: Path
Value type: REG_EXPAND_SZ
Value data: %SystemRoot%\System32\Raschap.dll
Value name: InvokeUsernameDialog
Value type: REG_DWORD
Value data: 0000000a
Value name: FriendlyName
Value type: REG_SZ
Value data: MD5-Challenge
Value name: Path
Value type: REG_EXPAND_SZ
Value data: %SystemRoot%\System32\Raschap.dll
Value name: InvokeUsernameDialog
Value type: REG_DWORD
Value data: 00000001
Value data: 00000001
Value name: InvokePasswordDialog
Value type: REG_DWORD
Value data: 00000001
Value type: REG_DWORD
Value data: 00000001
- After creating the above entry go to run –type services
- In services look for Wired Auto Config and Wireless Auto config.
- Start the service or restart it if it is already started.
- Now go to any of the LAN adapter and select properties you see a Authentication tab.
- Enable dot1x on that Port and select MD5-Challenge.
- Once you enable Dot1x on your Switch/Router on a particular port, go to windows and check a pop will pop asking for user /password, provide the user /password to authenticate the port.
Note: If using a VM open the VM with Console Access, Methods such as RDP did not work for me.
I have verified the working with
WIN 7 and WINDOWS Server 2008
Typical Use case: If we want to test WebAuth Combined with
Dot1x and Mac-Auth , then dot1x
has to performed form windows so that after
successful authentication or
no authentication
,webauth can be performed by opening a web
browser.
Note: This is pretty handy if your radius server does not support PEAP
and EAP-MD5-Challenge
has to be used. Simple Dot1x/MacAuth
Can be performed via Spirent.
But for combining WebAuth with
Mac-Auth and Dot1x this proves vey useful.
Thanks a lot Manish. It helped me a lot.
ReplyDeleteIt shows MD5-challenge however does not prompt for a username and password
ReplyDelete