eap and peap

Can I Use PEAP-MSCHAPv2 and EAP-TLS Authentication on My Network?

Patrick Grubbs Education

Can I Use PEAP-MSCHAPv2 and EAP-TLS Authentication on My Network?

The short answer is: Yes.

Organizations that are interested in moving from the unsecure PEAP-MSCHAPv2 protocol to the superior EAP-TLS protocol might be worried about huge infrastructure overhaul or the network downtime it might entail. We’ve helped many organizations over the past decade to support both protocols on their network, as they gradually transition from PEAP-MSCHAPv2 to EAP-TLS.

But first – what are the reasons an organization might want to transition from PEAP to EAP-TLS?

Why move from PEAP-MSCHAPv2 to EAP-TLS?

There’s one big, glaring problem with PEAP-MSCHAPv2 – it’s been cracked.

The primary obstacle in switching to EAP-TLS is the misconception that it’s too difficult to implement… even though everyone agrees that digital certificates are much more secure. While it may have been true that EAP-TLS wasn’t worth the effort 10 years ago, it’s now clearly the best option since the alternatives are compromised and EAP-TLS has never been easier to configure for your organization due to the advancements in PKI technology.

Not only are certificates necessary to prevent threats like over-the-air credential theft, but we’ve found that many organizations are motivated to make the switch because EAP-TLS offers a significantly better end-user experience. Because credentials require a password-change policy to remain effective, users are required to reset their passwords on all their devices every 60-90 days.

This, coupled with password complexity requirements, creates a dreaded and annoying experience for all involved. EAP-TLS certificate-based authentication only requires a one time enrollment, after which users don’t have to touch their Wi-Fi configuration for the life of the device.

Can you transition from PEAP-MSCHAPv2 to EAP-TLS slowly?

Yes, it’s possible to make the move in phases and run both network types at the same time.

There are a few reasons you might want to take the slow approach:

  • Your managed devices are EAP-TLS capable, but the BYODs aren’t. Or vice versa. If you’re unable to move your entire network of devices over to EAP-TLS, but still want to use it for the compatible systems, you can use both authentication protocols simultaneously. Then, as you phase out the incompatible software/machines, you replace them with EAP-TLS ready versions.
  • The whole network is already on PEAP-MSCHAPv2, but you don’t want to suddenly cut the cord. This is a common scenario in organizations that naturally have a lot of inflow and outflow of users, such as a university. Instead of forcing everyone to reconfigure devices for EAP-TLS, you can allow the current users to continue using the same network until they graduate or otherwise leave. All the newcomers are onboarded to EAP-TLS directly; eventually the whole organization is on EAP-TLS and you can retire support for PEAP.
  • Risk Management (or skeptical Sys Admins). We get it. Certificates seem too good to be true. Also, when network security/connectivity is involved, “better safe than sorry” is a mantra to live by. In most deployment scenarios, hidden test SSIDs are usually used to test the varying devices found on campus to ensure rollout goes smoothly. While we regularly test every OS, and the new ones on release, it’s pretty common for customers to go the extra mile to make sure everything is ok before deployment.

How to run PEAP-MSCHAPv2 and EAP-TLS simultaneously

Here’s an example of a successful implementation of PEAP + EAP with a 4-year phase-out of PEAP MSCHAPv2.

Case Study: The College of William & Mary

The College of William & Mary decided to deploy eduroam on their campus so that their students could benefit from painless Wi-Fi access as they traveled across the country and the world for their study-away programs.

Eduroam is a vast network with a lot of access points, so it’s inherently vulnerable. To preempt security risks, it was established with EAP-TLS and digital certificate authentication to create the strongest security foundation possible.

However, William & Mary had been running their WPA2-Enterprise infrastructure on PEAP-MSCHAPv2 for decades. Trying to switch over thousands of managed devices and tens of thousands of bring-your-own-devices (BYODs) for students, staff, and faculty was a gargantuan task.

Working closely with their IT team, we integrated all of the necessary infrastructure into their existing network to save money and time. When the new students arrived at the end of the summer, they were all automatically onboarded to the new EAP-TLS network using our Best-in-Class MultiOS onboarding software.

The preexisting students and staff continued using their PEAP credentials until they expired, at which point they enrolled their devices for certificates via SecureW2.. The gradual transition and seamless integration ensured that IT was never overburdened with support tickets.

To read the full College of William & Mary Case Study, click here.

Setting Up PEAP-MSCHAPv2 and EAP-TLS Authentication

eap and peapWith William & Mary, SecureW2 was able to set up their RADIUS server to service both PEAP-MSCHAPv2 and EAP-TLS protocols, while simultaneously ensuring that devices were properly configured for either protocol with the MultiOS Device Onboarding platform.

The most common way we see organizations supporting both protocols is by keeping one Secure SSID and configuring the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.

If you’d like assistance setting this up on your campus, reach out to us here.

Using PEAP and EAP-TLS together

Ultimately, your goal should be to fully convert to EAP-TLS and implement digital certificate-based authentication for your WPA2-Enterprise network. It’s unarguably the most robust form of authentication and the best way to secure your network. Your end users will really appreciate it too as password-reset policies can be really annoying!

No matter where you are in the process – ready to jump in to EAP, seeking a gradual transition, or just looking for information – SecureW2 has the tools and expertise to guide you. Check out our pricing now!