If you have upgraded some of your PCs to Windows 11 and enabled credential guard (which is recommended), you might have realized that your network SSO broke. This is because Credential Guard is blocking MS-CHAPV2 due to its vulnerabilities caused by NTL passwords hashing that happens when the device authenticates to the server. In more human terms, your PC is caching the user password in a hash and reusing that hash, if an attacker gets their hands on that hash, they can impersonate the user, not only in the network but also in your domain.
To solve this, your first instinct might be to disable credential guard, but that leaves you vulnerable (and believe me, Microsoft LOVES their legacy protocols, they would not be blocking one of them if it wasn’t truly a problem). So instead Microsoft recommends moving to EAP-TLS. EAP-TLS uses client certificates to authenticate the device to the network. While this might sound complicated, with new cloud tools this becomes a breeze.
The first issue that we must overcome when moving from MS-CHAPV2 or any password-based network authentication method to EAP-TLS is how to distribute SSL certificates to machines. Thankfully most Mobile Device Management (MDM) platforms (such as Intune, JAMF PRO, ManageEngine, etc.) have figured out an easy way to distribute SSL certificates using SCEP. This allows you to automatically issue the certificates to all the devices you manage. If you also have devices you do not manage you can use a modern certificate authority like EZCA that allows you to create self-service user certificates using the users Entra ID Tip: use this feature to create a quick certificate when testing your RADIUS implementation it will save you the time to wait for the MDM to Issue the certificate.
Most network devices do not accept EAP-TLS or certificate authentication out of the box, for that you have to use a RADIUS service, Luckly it is very simple to setup, you set the RADIUS Service IP address and a shared secret between the network device and the RADIUS service, and the rest of the magic happens behind the scenes. Below you can see how easy it is to setup with Unifi, but if you are using another network provider, make sure to check our youtube channel we probably have a video on how to setup that one.
This guide gave you the starting points on how to move from MS-CHAPV2 to a more modern and secure protocol (EAP-TLS), We understand that managing PKI and certificates might seem overwhelming, but we are here to help. From our PKI Basics YouTube playlist, to even talking to one of our identity experts we are here to guide you through this transition.
