8

I am in a process of enforcing more strict VPN access policy after learning about the attack on PPTP with MSCHAP v2. Basically this I will be disabling the traditional PPP authentication methods and using an EAP method instead.

Windows provides quite a range of EAPs, among them EAP-MSCHAP v2. Am I correct to understand that this is just the old MSCHAP v2 done in the EAP format without any additional protection? In other words, it must be used within PEAP (or similar) to defeat the attack, right?

billc.cn
  • 3,852
  • 1
  • 16
  • 24

2 Answers2

6

If you are using PEAPv0 with EAP-MSCHAPv2 authentication then you should be secure as the MSCHAPv2 messages are sent through a TLS protected tunnel. If you would not use a protected tunnel, then you are indeed vulnerable.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
0

In these cases since you are using a SSL VPN instead of the traditional IPSEC type tunneling, there is the possibility that you have the encyption turned off. You would have to verify the setting, but to me the only true secure way of doing this is through the strongest TLS 1.2. If you are tunneling and doing B2B, I would avoid this solution and do a more traditional tunnel with the IPSEC.

Anders
  • 64,406
  • 24
  • 178
  • 215
SecGuru
  • 1
  • The VPN protocol in question is PPTP not SSL. SSL and IPSec VPN encrypt the authentication process so the vulnerability of MS-CHAPv2 cannot be exploited. PPTP is the only commonly used protocol with this problem. – billc.cn Nov 05 '16 at 22:55