Stop Using PEAP/MS-CHAPv2
I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers. STOP! MS-CHAPv2 uses broken MD4 encryption and should no longer be used to pass sensitive credentials over any network. Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11. You can get around this with a registry hack but it's still a BAD idea. If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS. Even better, use TEAP with user and machine authentication using certificates. Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice. SAML Assertion sometimes can remove the need for a RADIUS server all together.
Having a secure, robust PKI is essential for certificate based network authentication. Probably a blog post for another day; offline root, three tier, non-exportable private keys, etc. Many organizations use Microsoft Active Directory Certificate Services built into Windows Server. PKI as a service (PKIaaS) offerings are also present in the market.
Comments
Post a Comment