Security

Hello,

I currently have an 2530 switch configured to have port-based authentication. The switch is successfully connected to a Windows NPS server that can handle the authentication request. We want to introduce Windows hello to authenticate on laptops. I read an article online that when using Windows hello, it is no longer possible to authenticate using PEAP-MSCHAPv2. We currently use username/password to authenticate and login on the laptop/network.

Is it required to have personal certificates installed on the machines in order to implement Windows Hello and use it to authenticate on the machine and network? Or can username/password (PEAP-MSCHAPv2) still be used for network authentication while Windows Hello is used to login on the machine?

Kind regards,

Jeffrey

You probably found articles referring to 'credential guard' in Windows. Windows is making it harder to use insecure authentication like PEAP-MSCHAPv2. And as far as I see, the whole idea around Hello is to get rid of passwords wherever possible.

I would recommend moving to certificate based authentication, where EAP-TLS is a good candidate with computer only authentication, or TEAP with both computer and user authentication. Benefit of TEAP is that you can have a successful computer authentication, but failing user authentication in case a user signs in the first time and doesn't have a valid certificate yet on that computer; and it ties the computer and user authentication into the same authentication transaction.

In theory, you could use TEAP with computer certificate and MSCHAPv2 for the user authentication, but common guidance is to move away from MSCHAPv2 as it's known insecure and cryptographically broken.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 19, 2024 02:56 AM
From: JeffreyM
Subject: Windows Hello authentication on Windows NPS server

Hello,

I currently have an 2530 switch configured to have port-based authentication. The switch is successfully connected to a Windows NPS server that can handle the authentication request. We want to introduce Windows hello to authenticate on laptops. I read an article online that when using Windows hello, it is no longer possible to authenticate using PEAP-MSCHAPv2. We currently use username/password to authenticate and login on the laptop/network.

Is it required to have personal certificates installed on the machines in order to implement Windows Hello and use it to authenticate on the machine and network? Or can username/password (PEAP-MSCHAPv2) still be used for network authentication while Windows Hello is used to login on the machine?

Kind regards,

Jeffrey