Concurrent EAP-TLS and PEAP-TLS Vulnerability

I found this note at the bottom of this Microsoft PEAP article

"When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP-TLS, do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type creates a security vulnerability."

Does anybody know any specifics about the vulnerability they're referring to?  I want to transition most of my clients from EAP-TLS to PEAP-TLS.  I was planning to select both in the radius NPS profile, at least until all the clients are reconfigured for PEAP-TLS, and I was probably going to leave EAP-TLS on for one network camera that won't do PEAP.  After reading about a possible vulnerability, I'm thinking this is a bad idea, but I'm hoping to learn more and possibly find a workaround that won't expose us to whatever vulnerability they're talking about.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
If you're doing this in the NPS profile you're using one OR the other, not both at the same time.  You should be fine as you're migrating away from EAP-TLS, which is also secure.
btanExec ConsultantCommented:
As in the article, PEAP provide TLS channel and does not specify the authentication which is more specific to EAP type that include password (MSCHAPv2) or cert based (TLS). In short, when you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other. Most secure is PEAP-EAP-TLS as in below quick summary.

a) PEAP-EAP-MSCHAPv2: authentication is done using a password and authentication traffic is encrypted using TLS
b) PEAP-EAP-TLS: authentication is done using certificates and authentication traffic is encrypted using TLS

Having to have MSCHAPv2 is of weaker stance and if not implemented correctly and having MSCHAPv2 with vulnerability exposed (see below advisory) , it is just not secure. See the links.

But dont get it wrong that PEAP-MSCHAPv2 is broken. It is not. PEAP still stands as it is cert based and stronger with the PKI chain of trust...

Microsoft Security Advisory (2743314)

Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Eric_PSUAuthor Commented:
Thanks for the input.  I realize that a client wouldn't be using both authentication types at the same time, but Microsoft is talking about deploying them both at the same time, which I intended to do.  I'm pretty sure Microsoft is talking about PEAP-EAP-TLS when they say PEAP-TLS.  I don't get why using PEAP-EAP-TLS on some clients and EAP-TLS on others would create a vulnerability.  Or maybe I'm misinterpreting?
Craig BeckCommented:
In short, it won't.  All I think they're saying is if you're going to use PEAP-TLS, EAP-TLS is less secure so might be a vulnerability.

I wouldn't have any issues with using them both at the same time during migration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
PEAP has the cert check while non PEAP does not. simple as it is, you can still use but why go for less secure unless password is for ease compared to cert PKI ... but then you already has machine cert installed now is just the client cert.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.