MSCHAPv2 Migration: Decisions & Risks

Decision Log

Date	Decision	Rationale	Decided By
2026-03-16	Wave-based migration (not big bang)	6,088 endpoints across 5 device types. Per-wave approach allows rollback per device class without affecting others.	Evan
2026-03-16	EAP-TEAP for Windows domain devices	EAP-TEAP supports machine+user authentication in a single tunnel. Superior to EAP-TLS for domain-joined Windows.	Evan
2026-03-16	Dual-auth period during transition	Keep MSCHAPv2 as fallback while cert-based auth deploys. ISE policy priority handles the cutover per device.	Evan
2026-03-16	Chromebooks as Wave 1	Largest single device class (1,754). Managed by single team (Paul Tran). Success here proves the model.	Evan

Date

Decision

Rationale

Decided By

2026-03-16

Wave-based migration (not big bang)

6,088 endpoints across 5 device types. Per-wave approach allows rollback per device class without affecting others.

Evan

2026-03-16

EAP-TEAP for Windows domain devices

EAP-TEAP supports machine+user authentication in a single tunnel. Superior to EAP-TLS for domain-joined Windows.

Evan

2026-03-16

Dual-auth period during transition

Keep MSCHAPv2 as fallback while cert-based auth deploys. ISE policy priority handles the cutover per device.

Evan

2026-03-16

Chromebooks as Wave 1

Largest single device class (1,754). Managed by single team (Paul Tran). Success here proves the model.

Evan

Risk Assessment

Risk	Likelihood	Impact	Mitigation	Contingency
Certificate enrollment failures across 6,088 devices	Medium	High	Pilot with 50-100 devices per wave. Validate SCEP/NDES before scale deployment.	Fall back to MSCHAPv2 for failed devices. Manual cert provisioning for critical endpoints.
WYSE Thin Clients incompatible with EAP-TLS	Medium	Medium	Investigate ThinOS vs Windows Embedded capabilities early. Test cert storage on thin client hardware.	iPSK or MAB fallback for thin clients that cannot support certificates.
User disruption during auth method switchover	High	Medium	Per-device cutover (not big bang). Dual-auth period keeps both methods active. Communication plan per wave.	Immediate rollback to MSCHAPv2 for affected devices via ISE policy priority change.
CA infrastructure cannot handle 6,088 certificates	Low	Critical	Assess AD CS capacity before Wave 1. Plan certificate lifecycle (renewal, revocation) at scale.	Deploy dedicated subordinate CA for endpoint certificates. Stagger enrollment.
Chromebook SCEP enrollment requires Google Admin Console changes	Medium	Medium	Schedule meeting with Paul Tran to assess Google Workspace MDM integration. Test SCEP proxy.	Use manual certificate push via Google Admin Console if SCEP unavailable.

Risk

Likelihood

Impact

Mitigation

Contingency

Certificate enrollment failures across 6,088 devices

Medium

High

Pilot with 50-100 devices per wave. Validate SCEP/NDES before scale deployment.

Fall back to MSCHAPv2 for failed devices. Manual cert provisioning for critical endpoints.

WYSE Thin Clients incompatible with EAP-TLS

Medium

Investigate ThinOS vs Windows Embedded capabilities early. Test cert storage on thin client hardware.

iPSK or MAB fallback for thin clients that cannot support certificates.

User disruption during auth method switchover

High

Medium

Per-device cutover (not big bang). Dual-auth period keeps both methods active. Communication plan per wave.

Immediate rollback to MSCHAPv2 for affected devices via ISE policy priority change.

CA infrastructure cannot handle 6,088 certificates

Low

Critical

Assess AD CS capacity before Wave 1. Plan certificate lifecycle (renewal, revocation) at scale.

Deploy dedicated subordinate CA for endpoint certificates. Stagger enrollment.

Chromebook SCEP enrollment requires Google Admin Console changes

Medium

Schedule meeting with Paul Tran to assess Google Workspace MDM integration. Test SCEP proxy.

Use manual certificate push via Google Admin Console if SCEP unavailable.

Rollback Strategy

Keep MSCHAPv2 policy active during transition
Dual-auth period: accept both methods
Per-device cutover (not big bang)
ISE policy priority: cert-based first, MSCHAPv2 fallback