Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Is EAP-TLS Safer than PEAP-MSCHAPv2 in 2024?

Key Points
  • You can use PEAP-MSCHAPv2 and EAP-TLS in your network simultaneously, but PEAP-MSCHAPv2 has been declared obsolete, so using it is unsafe.
  • A WPA2-Enterprise network with EAP-TLS lets you provision certificates to all users and devices for a certificate-based network. Digital certificates are phishing-resistant and can't be stolen or duplicated, thus providing watertight network security.
  • With SecureW2’s managed PKI, you can leverage EAP-TLS to securely commission digital certificates to managed devices for exclusive certificate-based authentication. Our MulitOS also provides guests' devices with certificates through simple onboarding software, giving you complete control over your network.

The short answer is: Yes.

Organizations that are interested in moving from the unsecure PEAP-MSCHAPv2 protocol to the superior EAP-TLS protocol might be worried about huge infrastructure overhaul or the network downtime it might entail. We’ve helped many organizations over the past decade to support both protocols on their network, as they gradually transition from PEAP-MSCHAPv2 to EAP-TLS.

But first – what are the reasons an organization might want to transition from PEAP to EAP-TLS?

Why move from PEAP-MSCHAPv2 to EAP-TLS?

There’s one big, glaring problem with PEAP-MSCHAPv2 – it’s been cracked.

The primary obstacle in switching to EAP-TLS is the misconception that it’s too difficult to implement… even though everyone agrees that digital certificates are much more secure. While it may have been true that EAP-TLS wasn’t worth the effort 10 years ago, it’s now clearly the best option since the alternatives are compromised and EAP-TLS has never been easier to configure for your organization due to the advancements in PKI technology.

Not only are certificates necessary to prevent threats like over-the-air credential theft, but we’ve found that many organizations are motivated to make the switch because EAP-TLS offers a significantly better end-user experience. Because credentials require a password-change policy to remain effective, users are required to reset their passwords on all their devices every 60-90 days.

This, coupled with password complexity requirements, creates a dreaded and annoying experience for all involved. EAP-TLS certificate-based authentication only requires a one time enrollment, after which users don’t have to touch their Wi-Fi configuration for the life of the device.

Can you transition from PEAP-MSCHAPv2 to EAP-TLS slowly?

radius server

Yes, it’s possible to make the move in phases and run both network types at the same time.

There are a few reasons you might want to take the slow approach:

  • Your managed devices are EAP-TLS capable, but the BYODs aren’t. Or vice versa. If you’re unable to move your entire network of devices over to EAP-TLS, but still want to use it for the compatible systems, you can use both authentication protocols simultaneously. Then, as you phase out the incompatible software/machines, you replace them with EAP-TLS ready versions.
  • The whole network is already on PEAP-MSCHAPv2, but you don’t want to suddenly cut the cord. This is a common scenario in organizations that naturally have a lot of inflow and outflow of users, such as a university. Instead of forcing everyone to reconfigure devices for EAP-TLS, you can allow the current users to continue using the same network until they graduate or otherwise leave. All the newcomers are onboarded to EAP-TLS directly; eventually the whole organization is on EAP-TLS and you can retire support for PEAP.
  • Cyber Risk Management (or skeptical Sys Admins). We get it. Certificates seem too good to be true. Also, when network security/connectivity is involved, “better safe than sorry” is a mantra to live by. In most deployment scenarios, hidden test SSIDs are usually used to test the varying devices found on campus to ensure rollout goes smoothly. While we regularly test every OS, and the new ones on release, it’s pretty common for customers to go the extra mile to make sure everything is ok before deployment.

How to run PEAP-MSCHAPv2 and EAP-TLS simultaneously

Here’s an example of a successful implementation of PEAP + EAP with a 4-year phase-out of PEAP MSCHAPv2.

Case Study

This University decided to deploy eduroam on their campus so that their students could benefit from painless Wi-Fi access as they traveled across the country and the world for their study-away programs.

Eduroam is a vast network with a lot of access points, so it’s inherently vulnerable. To preempt security risks, it was established with EAP-TLS and digital certificate authentication to create the strongest security foundation possible.

However, the school had been running their WPA2-Enterprise infrastructure on PEAP-MSCHAPv2 for decades. Trying to switch over thousands of managed devices and tens of thousands of bring-your-own-devices (BYODs) for students, staff, and faculty was a gargantuan task.

Working closely with their IT team, we integrated all of the necessary infrastructure into their existing network to save money and time. When the new students arrived at the end of the summer, they were all automatically onboarded to the new EAP-TLS network using our Best-in-Class MultiOS onboarding software.

The preexisting students and staff continued using their PEAP credentials until they expired, at which point they enrolled their devices for certificates via SecureW2… The gradual transition and seamless integration ensured that IT was never overburdened with support tickets.

To read the full Case Study, click here.

Setting Up PEAP-MSCHAPv2 and EAP-TLS Authentication

eap and peap With this university, SecureW2 was able to set up their RADIUS server to service both PEAP-MSCHAPv2 and EAP-TLS protocols, while simultaneously ensuring that devices were properly configured for either protocol with the MultiOS Device Onboarding platform.

The most common way we see organizations supporting both protocols is by keeping one Secure SSID and configuring the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.

If you’d like assistance setting this up on your campus, reach out to us here.

Using PEAP and EAP-TLS together

Ultimately, your goal should be to fully convert to EAP-TLS and implement digital certificate-based authentication for your WPA2-Enterprise network. It’s unarguably the most robust form of authentication and the best way to secure your network. Your end-users will really appreciate it too as password-reset policies can be really annoying!

No matter where you are in the process – ready to jump in to EAP, seeking a gradual transition, or just looking for information – SecureW2 has the tools and expertise to guide you. Check out our pricing now!

 

Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Is EAP-TLS Safer than PEAP-MSCHAPv2 in 2024?