Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Simultaneous use of EAP-PEAP and EAP-TLS

This thread has been viewed 41 times
  • 1.  Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 04, 2024 02:41 AM

    Hi All,

    I need to know whether the same client can be authenticated from both the methods EAP-PEAP and EAP-TLS simultaneously. As a brief, user need to log in to the same SSID using Username and Password as well as certificate authentication also need to be done via EAP-TLS.

    Thank you



  • 2.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 04, 2024 02:51 AM

    Hi

    Short answer is No. If you are talking about performing both methods at the same time during 802.1x.

    Can you describe more about the intention behind the request to do this and also what types of clients the users will utilize?

    Is the intention to implement a type of multifactor authentication?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 04, 2024 02:56 AM

    Hi @jonas.hammarback,

    Thank you for the reply. 

    Basically yes!, customer is asking something like MFA scenario authenticating the user via U/N & password meanwhile authenticate the machine via the device certificate.

    Can't we implement a solution like first authenticate via certificates then ask U/N & password ?




  • 4.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 04, 2024 03:02 AM

    If you have Windows clients you can implement EAP-TEAP. This will authenticate both the computer and the user at the same time and you can select EAP-TLS for the computer and EAP-PEAP for the user account.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 04, 2024 07:43 AM

    Please note that the use of PEAP (more specific username/password via MSCHAPv2) is known insecure and should be avoided. Certificate authentication is the golden standard.

    TEAP allows combining computer and user authentication, so it's the answer to your question as already mentioned. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 08, 2024 11:56 AM

    Hello Herman,

    As a follow up to the above comment about MSCHAPv2 being insecure as a stand alone auth method, is it not more secure implemented as part of the tunneled EAP process? I am planning on implementing EAP-TEAP using ETP-TLS for machine and MSCHAPv2 for user; is that considered unsecure still? Reason being, the only good place to store user certs is on the TPM, which has a limit of 10 cert slots depending on the particular device. After the device cert that limits to 9 user logins, which in some cases that is acceptable, but not all.

    Thanks in advance!




  • 7.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 09, 2024 04:24 AM

    MSCHAPv2 is broken, and should not be used for that reason. That's the short statement.

    Longer consideration: when, combined with PEAP/TEAP, it's used within a TLS tunnel, which IF you configure it correctly could have an acceptable level of security. The big problem here is to make sure that the server certificate is properly validated, that end-users can't configure this theirselves (unticking/bypassing the certificate validation), which for PEAP is close to impossible as if you have a mobile device, you as end-user 'just connect', ignore the certificate, and share your windows password (ok, the NT-Hash of it) with the world. Configuration of TEAP is not automatic, and if I'm correct the certificate validation cannot be disabled, in which case, you may consider this an acceptable risk.

    Then, in order to perform MSCHAPv2, both the client and the RADIUS server (which in the case of ClearPass is proxied to the AD/Kerberos server) needs to have access to the user password in the form of an NT-Hash to do the NTLM authentication. Which in it's turn means that this opens a hole to retrieve the NT-Hashes for a user (because they have to be stored in a way that the hash is accessible), and NT-Hashes use weak/broken encryption and are deprecated. This also is why Microsoft (and Google, and other large providers) is moving away from password authentication towards more modern and secure authentication methods, and as part of that journey locking down the usage of NTLM (server side) and introducing things like Credential Guard (client side) to make it d**n hard to deploy MSCHAPv2/NTLM.

    Of course, there is a lot of theoretical scenarios in here, which may or may not be applicable in your specific situation; and in the end it's about understanding the risks (where I most likely missed many) and mitigating or accepting those. I personally would avoid MSCHAPv2/NTLM/NT-Hash/passwords for network authentication, but get your practical limitation with the TPM and key-slots as well, and there is no one-size-fits-all solution.

    My crusade against MSCHAPv2/PEAP is for the 95+% of the cases where the risks are not evaluated and people just do things because they have seen it once and it works nice. If you can avoid the use of passwords and move to certificates or other modern/secure methods, it's unlikely to hurt you. But as in many cases, if you know what you are doing, it can be better to deviate from general rules than blindly following them.

    Hope this provides some guidance and understanding. Please take into consideration this is my personal view (in a professional context) based a security background. Security may not be the most important factor in all possible situations.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Simultaneous use of EAP-PEAP and EAP-TLS

    Posted Jul 09, 2024 11:54 AM

    Thank you again, Herman, for that insightful response and for sharing your perspective!


    We are certainly pursuing alternatives to MSCHAPv2/NTLM/NT-Hash/passwords where feasible/sensible.