PEAP-MSCHAPv2 and Credential Guard - What Could Possibly Go Wrong?
So, here's a story for you, picture this - One day, someone in another department decides it's a great idea to switch on 'Credential Guard' on our devices. Now, we were still using PEAP for our network (I know, we really should've been on EAP-TLS by then), and guess what? Suddenly, no one could connect to the WiFi. I was freaking out! But hey, I managed to get EAP-TLS up and running in just a few days, fixing the issue once and for all.
In this post, let's dive into why this happened and explore the potential pitfalls you might encounter if your network is still relying on PEAP.
EAP-PEAP
PEAP-MSCHAPv2 is a frequently used authentication method in 802.1X protected wireless and wired networks. It's part of PEAP (Protected Extensible Authentication Protocol), which encapsulates a second authentication transaction within a TLS tunnel. MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is used here for the actual authentication process. This method is popular in environments using Microsoft infrastructure, like in almost all corporate networks.
However, while PEAP-MSCHAPv2 is widely adopted, it's not without its weaknesses. The primary issue is that it relies on password-based authentication, which can be vulnerable to various attacks, such as dictionary attacks or credential theft.
Credential Guard
Credential Guard is a feature in Windows 10 and later where it uses virtualization-based security to isolate secrets (like user credentials) so, that only privileged system software can access them. This adds an extra layer of security, protecting against methods that attackers use to harvest credentials.
What Could Possibly Go Wrong?
Enabling Windows Credential Guard in an environment that uses PEAP-MSCHAPv2, can lead to some significant issues. Credential Guard is a robust security feature in Windows 10, designed to protect against various types of attacks, particularly those targeting user credentials. It leverages virtualization-based security to isolate and protect NTLM password hashes, Kerberos Ticket Granting Tickets, and other sensitive data.
However, when Credential Guard is enabled, it prevents the authentication supplicant in Windows from transmitting the user’s credentials to RADIUS servers, such as Cisco ISE. This issue arises because Credential Guard blocks certain protocols, including NTLM v1 and MS-CHAP, which are used for Single Sign-On (SSO) and are subject to attacks similar to those against NTLMv1.
As a result, users on a network using PEAP-MSCHAPv2 may face difficulties with authentication. They might be required to enter their credentials multiple times or find that their login attempts using saved Windows credentials fail. This poses a significant challenge for networks that rely on PEAP-MSCHAPv2 for authentication.
To address this issue, Microsoft recommends transitioning from MSCHAPv2-based connections to certificate-based authentication methods, such as EAP-TLS. These methods offer enhanced security and are not affected by the limitations imposed by the Credential Guard. Implementing certificate-based authentication requires distributing user/machine certificates, which can be done through Group Policy.
Closing Up
If your network is still using PEAP, it's time to think about moving to EAP-TLS. Why? Simply put, EAP-TLS is like upgrading from a lock and key to a high-tech security system. It's more secure, and with the way Credential Guard clashes with PEAP, you really don't want to be left in a lurch unable to connect to your own WiFi.
If you want to learn how to implement EAP-TLS or EAP-TEAP, feel free to check out my other blog posts below.
References
https://www.securew2.com/blog/windows-defender-credential-guard-and-peap-ms-chapv2