Hello, I've read this [1] article. It is very interesting but I would appreciate some explaination about the final recommendations paragraph. Specifically, this paragraph contains: "If MS-CHAPv2 is required for operational or inter-operability reasons, we recommend running it over a secure management network. The Microsoft MFA server does not support MFA with MS-CHAPv2. Or, running TTLS + MS-CHAPv2. Though it has no benefits (and many drawbacks!) over TTLS + PAP." 1. What does "we recommend running [MS-CHAPv2] over a secure management network" implies, here ? 2. What does "Or, running TTLS + MS-CHAPv2" excatly means, here ? [1] https://networkradius.com/articles/2022/02/20/how-authentication-protocols-w... [2] https://www.securew2.com/blog/pitfalls-of-eap-ttls-pap Best regards
On Apr 5, 2022, at 1:22 PM, Olivier <oza.4h07@gmail.com> wrote:
I've read this [1] article. It is very interesting but I would appreciate some explaination about the final recommendations paragraph.
Specifically, this paragraph contains: "If MS-CHAPv2 is required for operational or inter-operability reasons, we recommend running it over a secure management network. The Microsoft MFA server does not support MFA with MS-CHAPv2. Or, running TTLS + MS-CHAPv2. Though it has no benefits (and many drawbacks!) over TTLS + PAP."
1. What does "we recommend running [MS-CHAPv2] over a secure management network" implies, here ?
Don't put RADIUS packets over the Internet. If the RADIUS packets are internal to your network, that's fine. If you have to send RADIUS packets over the Internet, then use IPSec or TLS in order to protect / hide their contents.
2. What does "Or, running TTLS + MS-CHAPv2" excatly means, here ?
Use TTLS, with MS-CHAPv2 inside of the TLS tunnel. See mods-available/eap for EAP / TTLS configuration. Alan DeKok.
participants (2)
-
Alan DeKok -
Olivier