PRJ: MSCHAPv2 to Certificate-Based Authentication Migration
Project Summary
Project |
MSCHAPv2 to EAP-TLS/EAP-TEAP Migration |
Priority |
P1 |
Status |
10% Complete |
Total Devices |
6,088 |
Detailed Docs |
Principia (legacy) |
Business Justification
MSCHAPv2 weaknesses:
-
Vulnerable to offline dictionary attacks
-
NTLM hash can be cracked if captured
-
No mutual authentication by default
-
Credentials exposed during authentication
EAP-TLS/EAP-TEAP benefits:
-
Strongest wireless/wired security
-
Mutual authentication (client + server)
-
No credentials transmitted over the air
-
Revocation capability via CRL/OCSP
Related Documentation
-
ise-windows::partials/eaptls-vs-mschapv2-comparison.adoc[EAP-TLS vs MSCHAPv2]
-
Cisco ISE EAP-TLS Configuration Guide
-
Intune Certificate Deployment
-
JAMF PKI Certificates
Sub-Pages
-
Planning - Migration waves, timeline, stakeholders
-
Implementation - ISE policy changes, monitoring, progress
-
Decisions & Risks - Decision log, risks, rollback
Metadata
| Field | Value |
|---|---|
PRJ ID |
PRJ-CHLA-MSCHAPV2-MIGRATION |
Author |
Evan |
Date Created |
2026-03-16 |
Last Updated |
2026-03-16 |
Status |
10% Complete |
Next Review |
2026-04-01 |