PEAP-MSCHAPv2 and Credential Guard - What Could Possibly Go Wrong?

PEAP-MSCHAPv2 and Credential Guard - What Could Possibly Go Wrong?
In: ISE Network

So, here's a story for you, picture this - One day, someone in another department decides it's a great idea to switch on 'Credential Guard' on our devices. Now, we were still using PEAP for our network (I know, we really should've been on EAP-TLS by then), and guess what? Suddenly, no one could connect to the WiFi. I was freaking out! But hey, I managed to get EAP-TLS up and running in just a few days, fixing the issue once and for all.

In this post, let's dive into why this happened and explore the potential pitfalls you might encounter if your network is still relying on PEAP.

EAP-PEAP

PEAP-MSCHAPv2 is a frequently used authentication method in 802.1X protected wireless and wired networks. It's part of PEAP (Protected Extensible Authentication Protocol), which encapsulates a second authentication transaction within a TLS tunnel. MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is used here for the actual authentication process. This method is popular in environments using Microsoft infrastructure, like in almost all corporate networks.

However, while PEAP-MSCHAPv2 is widely adopted, it's not without its weaknesses. The primary issue is that it relies on password-based authentication, which can be vulnerable to various attacks, such as dictionary attacks or credential theft.

Credential Guard

Credential Guard is a feature in Windows 10 and later where it uses virtualization-based security to isolate secrets (like user credentials) so, that only privileged system software can access them. This adds an extra layer of security, protecting against methods that attackers use to harvest credentials.

What Could Possibly Go Wrong?

Enabling Windows Credential Guard in an environment that uses PEAP-MSCHAPv2, can lead to some significant issues. Credential Guard is a robust security feature in Windows 10, designed to protect against various types of attacks, particularly those targeting user credentials. It leverages virtualization-based security to isolate and protect NTLM password hashes, Kerberos Ticket Granting Tickets, and other sensitive data.

However, when Credential Guard is enabled, it prevents the authentication supplicant in Windows from transmitting the user’s credentials to RADIUS servers, such as Cisco ISE. This issue arises because Credential Guard blocks certain protocols, including NTLM v1 and MS-CHAP, which are used for Single Sign-On (SSO) and are subject to attacks similar to those against NTLMv1.

💡
It's important to note that with the release of Windows 11 22H2, Credential Guard is enabled by default. So, if you upgrade to Windows 11 22H2 and your network is configured to use PEAP, you might find that users are no longer able to connect to these PEAP-protected networks.

As a result, users on a network using PEAP-MSCHAPv2 may face difficulties with authentication. They might be required to enter their credentials multiple times or find that their login attempts using saved Windows credentials fail. This poses a significant challenge for networks that rely on PEAP-MSCHAPv2 for authentication.

To address this issue, Microsoft recommends transitioning from MSCHAPv2-based connections to certificate-based authentication methods, such as EAP-TLS. These methods offer enhanced security and are not affected by the limitations imposed by the Credential Guard. Implementing certificate-based authentication requires distributing user/machine certificates, which can be done through Group Policy.

Closing Up

If your network is still using PEAP, it's time to think about moving to EAP-TLS. Why? Simply put, EAP-TLS is like upgrading from a lock and key to a high-tech security system. It's more secure, and with the way Credential Guard clashes with PEAP, you really don't want to be left in a lurch unable to connect to your own WiFi.

If you want to learn how to implement EAP-TLS or EAP-TEAP, feel free to check out my other blog posts below.

Cisco ISE Wired 802.1X with EAP-TLS Example
In this blog post, we’ll be exploring a practical example of how to configure wired 802.1X with Cisco Identity Services Engine (ISE) and EAP-TLS. We’re breaking down a typical
Cisco ISE Wireless 802.1X with Meraki (EAP-TLS)
In this blog post, we’ll be exploring a practical example of how to configure Wireless 802.1X with Cisco ISE and Meraki using EAP-TLS.
Cisco ISE Wired 802.1X with EAP-TEAP (EAP-Chaining)
In this blog post, we’ll be exploring a practical example of how to configure wired 802.1X with Cisco Identity Services Engine (ISE) and EAP-TEAP. We’re breaking down a typical

References

https://community.meraki.com/t5/Full-stack-Network-wide/Windows-11-22H2-breaks-MSCHAPv2-authentication-for-WiFi-and/m-p/181934

https://www.securew2.com/blog/windows-defender-credential-guard-and-peap-ms-chapv2

Table of Contents
Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
Comments
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.