Thank you again, Herman, for that insightful response and for sharing your perspective!
Original Message:
Sent: Jul 09, 2024 04:24 AM
From: Herman Robers
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
MSCHAPv2 is broken, and should not be used for that reason. That's the short statement.
Longer consideration: when, combined with PEAP/TEAP, it's used within a TLS tunnel, which IF you configure it correctly could have an acceptable level of security. The big problem here is to make sure that the server certificate is properly validated, that end-users can't configure this theirselves (unticking/bypassing the certificate validation), which for PEAP is close to impossible as if you have a mobile device, you as end-user 'just connect', ignore the certificate, and share your windows password (ok, the NT-Hash of it) with the world. Configuration of TEAP is not automatic, and if I'm correct the certificate validation cannot be disabled, in which case, you may consider this an acceptable risk.
Then, in order to perform MSCHAPv2, both the client and the RADIUS server (which in the case of ClearPass is proxied to the AD/Kerberos server) needs to have access to the user password in the form of an NT-Hash to do the NTLM authentication. Which in it's turn means that this opens a hole to retrieve the NT-Hashes for a user (because they have to be stored in a way that the hash is accessible), and NT-Hashes use weak/broken encryption and are deprecated. This also is why Microsoft (and Google, and other large providers) is moving away from password authentication towards more modern and secure authentication methods, and as part of that journey locking down the usage of NTLM (server side) and introducing things like Credential Guard (client side) to make it d**n hard to deploy MSCHAPv2/NTLM.
Of course, there is a lot of theoretical scenarios in here, which may or may not be applicable in your specific situation; and in the end it's about understanding the risks (where I most likely missed many) and mitigating or accepting those. I personally would avoid MSCHAPv2/NTLM/NT-Hash/passwords for network authentication, but get your practical limitation with the TPM and key-slots as well, and there is no one-size-fits-all solution.
My crusade against MSCHAPv2/PEAP is for the 95+% of the cases where the risks are not evaluated and people just do things because they have seen it once and it works nice. If you can avoid the use of passwords and move to certificates or other modern/secure methods, it's unlikely to hurt you. But as in many cases, if you know what you are doing, it can be better to deviate from general rules than blindly following them.
Hope this provides some guidance and understanding. Please take into consideration this is my personal view (in a professional context) based a security background. Security may not be the most important factor in all possible situations.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 08, 2024 11:55 AM
From: cochranes
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
Hello Herman,
As a follow up to the above comment about MSCHAPv2 being insecure as a stand alone auth method, is it not more secure implemented as part of the tunneled EAP process? I am planning on implementing EAP-TEAP using ETP-TLS for machine and MSCHAPv2 for user; is that considered unsecure still? Reason being, the only good place to store user certs is on the TPM, which has a limit of 10 cert slots depending on the particular device. After the device cert that limits to 9 user logins, which in some cases that is acceptable, but not all.
Thanks in advance!
Original Message:
Sent: Jul 04, 2024 07:43 AM
From: Herman Robers
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
Please note that the use of PEAP (more specific username/password via MSCHAPv2) is known insecure and should be avoided. Certificate authentication is the golden standard.
TEAP allows combining computer and user authentication, so it's the answer to your question as already mentioned.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 04, 2024 02:56 AM
From: nipunmeewella
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
Hi @jonas.hammarback,
Thank you for the reply.
Basically yes!, customer is asking something like MFA scenario authenticating the user via U/N & password meanwhile authenticate the machine via the device certificate.
Can't we implement a solution like first authenticate via certificates then ask U/N & password ?
Original Message:
Sent: Jul 04, 2024 02:51 AM
From: jonas.hammarback
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
Hi
Short answer is No. If you are talking about performing both methods at the same time during 802.1x.
Can you describe more about the intention behind the request to do this and also what types of clients the users will utilize?
Is the intention to implement a type of multifactor authentication?
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 04, 2024 02:41 AM
From: nipunmeewella
Subject: Simultaneous use of EAP-PEAP and EAP-TLS
Hi All,
I need to know whether the same client can be authenticated from both the methods EAP-PEAP and EAP-TLS simultaneously. As a brief, user need to log in to the same SSID using Username and Password as well as certificate authentication also need to be done via EAP-TLS.
Thank you