MSCHAPv2 Migration: Implementation
ISE Policy Changes Required
| Component | Action |
|---|---|
Authentication Policy |
Add EAP-TLS/EAP-TEAP rules per device type |
Authorization Profile |
Create cert-based profiles |
Certificate Authentication Profile |
Configure per device type |
Identity Source Sequence |
Add certificate lookup |
Trusted Certificate Store |
Import CHLA Root CA (if not present) |
Monitoring Commands
# Monitor authentication methods
netapi ise -f json mnt sessions | jq -r 'group_by(.authentication_method) | map({method: .[0].authentication_method, count: length}) | sort_by(-.count) | .[]'
# Track MSCHAPv2 usage decline
netapi ise -f json mnt authentications --records 5000 | jq -r '[.[] | select(.authentication_method | test("MSCHAP"; "i"))] | length'
# Find devices still using MSCHAPv2
netapi ise -f json mnt sessions | jq -r '.[] | select(.authentication_method | test("MSCHAP"; "i")) | [.calling_station_id, .username, .psn] | @tsv'Current Progress
Domain-Joined Windows: EAP-TEAP
Windows domain-joined devices are being migrated to EAP-TEAP (modern alternative to EAP-TLS with machine+user auth).
-
GPO deployment in progress
-
ISE policy:
Wired_802.1X_Closed/Wireless_802.1X -
Certificate enrollment via AD CS auto-enrollment
Chromebooks (Wave 1)
Next Action: Schedule meeting with Paul Tran
Meeting agenda: 1. Current MSCHAPv2 configuration review 2. Certificate authority requirements (AD CS vs cloud CA) 3. SCEP/NDES availability 4. Pilot group selection (50-100 devices) 5. Rollback strategy 6. Timeline estimate
WYSE Thin Clients (Wave 2)
Next Action: Schedule meeting with Andrew Rolle
Considerations: * ThinOS vs Windows Embedded? * Domain-joined vs workgroup? * Wyse Management Suite (WMS) availability? * Network boot dependencies?