Thursday, February 8, 2018

PEAP-TLS-MSCHAP-V2 and computer authentication

I've deployed a WPA2-Enterprise SSID that uses PEAP-TLS with MSCHAP-V2 inner. The clients are AD domain joined PCs that have GPO to connect to this SSID with server certificate verification turned on. Clients are only trusting the internal CA that the NPS server certificate was issued by. The GPO specifies only "computer authentication" and the NPS server checks for membership in a Computer group that domain PCs are a member of.

Is this setup vulnerable in some way? If so, how? EAP-TLS is supposedly the gold standard but we aren't yet at the point where machine certificates are issued.

Thanks



No comments:

Post a Comment