Stop Using PEAP/MS-CHAPv2

I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers.  STOP!  MS-CHAPv2 uses broken MD4 encryption and should no longer be used to pass sensitive credentials over any network.  Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11.  You can get around this with a registry hack but it's still a BAD idea.  If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS.  Even better, use TEAP with user and machine authentication using certificates.   Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice.  SAML Assertion sometimes can remove the need for a RADIUS server all together. 

Having a secure, robust PKI is essential for certificate based network authentication.  Probably a blog post for another day; offline root, three tier, non-exportable private keys, etc.  Many organizations use Microsoft Active Directory Certificate Services built into Windows Server.  PKI as a service (PKIaaS) offerings are also present in the market.  

Comments

Popular posts from this blog

Fix Cisco ISE Messaging Service

ClearPass MPSK per Device Type with Profiling

Cisco Designated VIP 2024