When deploying IMC UAM Radius server, the installation will probably integrate with the Active Directory at the customer through the LDAP protocol.
IMC UAM will use LDAP to synchronize user objects, so the IMC UAM Administrator can apply specific network access services to these user objects.
When using 802.1x with PEAP MSCHAPv2 authentication, an additional service on the IMC server will provide the authentication. This service will ‘join’ the domain, but that is something for a different post.
Once the users have been synchronized with UAM, these users can login on the SelfService Portal (http://imc:8080/selfservice ), where they could perform actions like guest management or BYOD device registration.
The problem : Passwords in clear text on the wire …
The user password cannot be synchronized by UAM, since AD does not allow reading user passwords. So when an LDAP user logs in on the SelfService portal, UAM will check the username and password on the fly with the AD.
This password check is done by a simple LDAP bind to the AD, using the provided credentials. And as you may expect, simple LDAP means clear text.
This is the trace of a user with username “m1” and password “password1.”
The solution : Secure LDAP
UAM supports the configuration of secure LDAP. Support for Secure LDAP (tcp port 636) must first be available on the AD Server.
This is actually very easy : when the AD Server has a valid certificate for server authentication, it will enable support for secure LDAP automatically using that certificate. So by installing an Enterprise CA, domain controllers should get a server authentication certificate or the admin can manually request a domain controller certificate of course.
On the UAM side, the AD certificate must be checked, so the Root certificate (which has signed the certificate used by the domain controller for secure LDAP) must be linked to the LDAP Server object. This requires the root certificate file to be exported as a .der file.
Once the root certificate has been linked to the LDAP server, the SSL option can be enabled and tested.
With this new configuration, the user login will be encrypted over the network with SSL.
So while this is not a default option, I would strongly recommend to activate it for obvious reasons.