Posts

Showing posts from September, 2024

Stop Using PEAP/MS-CHAPv2

I see a lot of customers continue to use PEAP/MS-CHAPv2 for 802.1X network authentication to Cisco ISE and other network access control platforms and RADIUS servers.  STOP!   MS-CHAPv2 uses broken MD4 encryption and should no longer be used to pass sensitive credentials over any network.  Microsoft has taken steps to disable PEAP/MS-CHAPv2 for Active Directory credentials in updated versions of Windows 10 and Windows 11.  You can get around this with a registry hack but it's still a BAD idea.  If you are still using MS-CHAPv2 for 802.1X authentication, it's time to migrate to certificate based authentication methods instead such as EAP-TLS.  Even better, use TEAP with user and machine authentication using certificates.   Some use-cases (like BYOD or guest access) could also transition to SAML-based authentication to your IDP of choice.  SAML Assertion sometimes can remove the need for a RADIUS server all together.  Having a secure, robus...

Popular posts from this blog

Fix Cisco ISE Messaging Service

ClearPass MPSK per Device Type with Profiling

Cisco Designated VIP 2024