Stop Using PEAP/MS-CHAPv2
I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers. STOP! MS-CHAPv2 uses broken MD5 encryption and should no longer be used to pass sensitive credentials over any network. Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11. You can get around this with a registry hack but it's still a BAD idea. If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS. Even better, use TEAP with user and machine authentication using certificates. Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice. SAML Assertion sometimes can remove the need for a RADIUS server all together. Having a secure, robust PKI is essential for certificate based