How to enable EAP-MD5 on Windows 7

Because MD5 challenge authentication has been disabled because of security problems by default (don’t use this on any untrusted network anyway - I’ve just written this note to show how to enable them in case one has crappy managed switches) the following changes are necessary to re-enable EAP-MD5:

• First create an entry in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4]

"RolesSupported"=dword:0000000a"FriendlyName"="MD5-Challenge""Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,\  61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00"InvokeUsernameDialog"=dword:00000001"InvokePasswordDialog"=dword:00000001

• Then enable the service automatic configuration (wired) to startup automatically
• Enable 802.1x for the ethernet connection and select MD5 challenge as method
• Put an cleartext password into your radius configuration. For FreeRADIUS this may look like the following:

testuser    NAS-Port-Type == Ethernet, Cleartext-Password := "u804u489"

• Now the device will authenticate against the switch using EAP-MD5

One should use other methods if they are available (EAP-TLS would be the best method available; else EAP-PEAP with MSCHAPv2 would be sufficient).

This article is tagged:

• MS Windows
• Administration