Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard with Windows: TLS or PEAP-MSCHAPv2?

This thread has been viewed 5 times

  • 1.  Onboard with Windows: TLS or PEAP-MSCHAPv2?

    Posted May 01, 2017 11:52 AM

    Hi:
    I'm curious why the Clearpass user guide suggests using PEAP-MSCHAPv2 for Windows devices instead of TLS?

    I was under the impression that EAP-TLS was more secure (but I realize that's based more on "folklore" than fact).

     

    Also, if we provision the devcie with PEAP-MSCHAPv2, are we still using an Onboard certificate on the device?

     

    Thanks.



  • 2.  RE: Onboard with Windows: TLS or PEAP-MSCHAPv2?

    EMPLOYEE
    Posted May 01, 2017 12:12 PM
    Please provide a link.

    Onboard should be used with EAP-TLS.


  • 3.  RE: Onboard with Windows: TLS or PEAP-MSCHAPv2?

    Posted May 01, 2017 12:25 PM

    From this link, EAP-TLS is suggested for iOS, and PEAP-MSCHAPv2 for others.

     

    http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Default.htm#Onboard/Config802_1X_AuthNWSettings.htm%3FTocPath%3DOnboard%7COnboard%2520Configuration%7CNetwork%2520Settings%7C_____2

     

     

    The following best practices are recommended when choosing the 802.1X authentication methods to provision:

     * Configure PEAP with MS-CHAPv2 for Onboard devices – Android, Windows, and legacy OS X (10.5/10.6).
     * Configure EAP-TLS for iOS devices and OS X (10.7 or later).


  • 4.  RE: Onboard with Windows: TLS or PEAP-MSCHAPv2?
    Best Answer

    EMPLOYEE
    Posted May 01, 2017 12:37 PM
    I’ll get that updated, that’s not correct. Thanks for pointing that out.


  • 5.  RE: Onboard with Windows: TLS or PEAP-MSCHAPv2?

    Posted May 01, 2017 12:57 PM

    Great, glad I could help.

     

    You might want to edit that entire chanpter as this message appears in a few other places. This link, for example, shows a workflow of switching to MSCHAP-v2. :

     

    http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Default.htm#Onboard/TheClearPassOnboardProcess.htm%3FTocPath%3DOnboard%7CAbout%2520ClearPass%2520Onboard%7C_____8

     

    I would certainly prefer to use EAP-TLS, but now I'm curious: if you were to provision a device with PEAP-MSCHAPv2, would it still consume an Onboard license?