Concurrent EAP-TLS and PEAP-TLS Vulnerability

Posted on 2013-09-25
Medium Priority
Last Modified: 2013-09-27
I found this note at the bottom of this Microsoft PEAP article http://technet.microsoft.com/en-us/library/cc754179.aspx:

"When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP-TLS, do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type creates a security vulnerability."

Does anybody know any specifics about the vulnerability they're referring to?  I want to transition most of my clients from EAP-TLS to PEAP-TLS.  I was planning to select both in the radius NPS profile, at least until all the clients are reconfigured for PEAP-TLS, and I was probably going to leave EAP-TLS on for one network camera that won't do PEAP.  After reading about a possible vulnerability, I'm thinking this is a bad idea, but I'm hoping to learn more and possibly find a workaround that won't expose us to whatever vulnerability they're talking about.

Question by:Eric_PSU
  • 2
  • 2
LVL 47

Expert Comment

by:Craig Beck
ID: 39524630
If you're doing this in the NPS profile you're using one OR the other, not both at the same time.  You should be fine as you're migrating away from EAP-TLS, which is also secure.
LVL 66

Expert Comment

ID: 39524717
As in the article, PEAP provide TLS channel and does not specify the authentication which is more specific to EAP type that include password (MSCHAPv2) or cert based (TLS). In short, when you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other. Most secure is PEAP-EAP-TLS as in below quick summary.

a) PEAP-EAP-MSCHAPv2: authentication is done using a password and authentication traffic is encrypted using TLS
b) PEAP-EAP-TLS: authentication is done using certificates and authentication traffic is encrypted using TLS

Having to have MSCHAPv2 is of weaker stance and if not implemented correctly and having MSCHAPv2 with vulnerability exposed (see below advisory) , it is just not secure. See the links.

But dont get it wrong that PEAP-MSCHAPv2 is broken. It is not. PEAP still stands as it is cert based and stronger with the PKI chain of trust...

Microsoft Security Advisory (2743314)

Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

Author Comment

ID: 39526551
Thanks for the input.  I realize that a client wouldn't be using both authentication types at the same time, but Microsoft is talking about deploying them both at the same time, which I intended to do.  I'm pretty sure Microsoft is talking about PEAP-EAP-TLS when they say PEAP-TLS.  I don't get why using PEAP-EAP-TLS on some clients and EAP-TLS on others would create a vulnerability.  Or maybe I'm misinterpreting?
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 39527118
In short, it won't.  All I think they're saying is if you're going to use PEAP-TLS, EAP-TLS is less secure so might be a vulnerability.

I wouldn't have any issues with using them both at the same time during migration.
LVL 66

Expert Comment

ID: 39527588
PEAP has the cert check while non PEAP does not. simple as it is, you can still use but why go for less secure unless password is for ease compared to cert PKI ... but then you already has machine cert installed now is just the client cert.

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question