Comware

I configured the switch port to do MAC Authentication. The RADIUS request packet contains a CHAP-Password.
1) What is the value stored this attribute?
2) Is it a digest and/or encrypted?

Looking at RFC 2865 for RADIUS, the RADIUS server is expected to do MD5 digest of the CHAP ID + [clear text] password + Request Authenticator and compare that digest to the CHAP-Password.

So, is the above what is in the contents of the CHAP-Password sent by the switch?

Is the encryption key that is configured as part of RADIUS configuration on the switch used anywhere?

For MAC Authentication is the password the MAC address of the client?

Hi

In RADIUS-CHAP user names and one-way hashes of random challenges and passwords are passed as authentication credentials.

With MAC Authentication, each RADIUS server will be different for configuration, however, you are required to create a user in the RADIUS server using the format of the MAC address (aa-bb-cc-dd-ee-ff) (six hexadecimal pairs with dashes) as the username and the user must have a password that is the same MAC address (use lowercase characters).

The encryption key is used between the Switch and the RADIUS, and it could be global for all the RADIUS servers you have and it can be unique for a dedicated server.

So encryption is not related to the MAC-Authentication, its a part of your RADIUS configuration to communicate with the Switch.

Good Luck !!!

Hi,

We are setting up MAC Authentication with an AD IAS radius server using a HP 2650 switch.

Is it possible to tell the switch what password to use?
So that the username is the MAC address and the password is something we have configured.

The reason for this is to get around the AD password complexity issue.

Yes, we have the same issue - need to have a secure password - where the mac address doesnt meet the password complexity.

Windows 2003 R2 out of the box now includes this, and our security policy requires it.

Any ideas around this - while still using IAS with AD?

Cheers
David