enable EAP-MD5 in Windows NPS

For enabling wired MAC bypass on Cisco switches there are two commands available.

  • dot1x mac-auth-bypass — the Access-Request message is a Password Authentication Protocol (PAP) authentication request
  • dot1x mac-auth-bypass eap — the Cisco switch perform MAB as EAP-MD5 authentication

Although PAP authentication has been configured by the switch as well as authentication method in Microsoft NPS Server, authentication does not work. The NPS logs showing rejects for the reason of a not configured protocol type; EAP with type MD5. Sniffing with Network Monitor confirmed Cisco requests EAP communication.

Some researches brought me to the following statement:

In this release, the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

In current NPS implementation EAP-MD5 cannot be chosen for authentication.

Microsoft NPS authentication eap

MD5 Challenge is being deprecated and no longer supported since Windows Server 2008/Vista. It can be re-enabled by modifying the registry on the NPS Server, but without any support!

NPS registry eap-md5

 

registry import

when values are set, restart the NPS Service

Microsoft NPS authentication eap md5 eap-md5

NPS log

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Event ID:      6278
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Network Policy Server granted full access to a user because the host met the defined health policy.

Authentication Details:
Authentication Type:                EAP
EAP Type:                        MD5-Challenge   

 

Windows Server 2012R2

 

Holger Wache

Holger Wache