I'm trying to figure out how to connect my Windows 11 machine to a wired network using MSCHAPV2. The organization prefers this method over changing everything to EAP-TLS, unless there are compelling reasons to switch. I've heard that there are security issues with MSCHAPV2 if clients aren't set up correctly to avoid man-in-the-middle attacks. If my Windows 11 clients enforce server certificate validation, does that make MSCHAPV2 a secure choice?
2 Answers
I've had my fair share of challenges with wired 802.1x, but MSCHAP can hash credentials sent over the wire. Even if a rogue server is introduced, negotiating the secret key with the RADIUS server is not trivial. Unless your network is super sensitive, you should be okay with this setup.
We purchased a Cisco ISE server for this very situation! We set up a certificate server where every domain machine gets a cert. If the ISE doesn't recognize the cert, then it's straight to the Guest Network for anyone without one. If you're certified, you're in! Want some coffee while you work on that connection?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures