PRJ: MSCHAPv2 to Certificate-Based Authentication Migration
Project Summary
Project |
MSCHAPv2 to EAP-TLS/EAP-TEAP Migration |
Priority |
P0 — Mandiant pentest high-risk findings + audit committee reporting |
Status |
ISE side ready. Endpoint platform work begins 5/4. 25% overall. |
Migration Window |
2026-05-04 to 2026-05-30 |
Total Devices |
~6,088 unique endpoints (30-day authentication window) |
Waves |
5 planned |
Owner |
Evan Rosado (ISE/NAC), William Cox (PM) |
Teams Engaged |
Albert Rodriguez (Collaboration), John Vuong (Endpoint Engineering), Sajid Karim (NE) |
ISE Status |
EAP-TEAP + EAP-TLS policies configured, cert trust installed, authorization rules mapped, anonymous identity set |
Windows Status |
EAP-TEAP migration complete — remaining work is non-Windows platforms |
Data Analysis |
Data Shape Analysis (2026-04-08) |
What’s Done
-
ISE authentication and authorization policies for EAP-TEAP and EAP-TLS
-
Certificate authority trust chain installed on ISE
-
Anonymous identity configured for EAP-TEAP outer tunnel
-
CHLA_Staff SSID accepting both EAP-TEAP and EAP-TLS
-
Windows EAP-TEAP migration complete
-
Scoping email sent to Will with platform breakdown and ownership matrix (2026-04-24)
-
All 8 platform owners and 2 managers confirmed
-
Will confirmed 5/4 start date with Albert and John (2026-04-24)
-
Albert agreed to meeting for implementation planning
What’s Remaining
-
Prep checklist: ISE RADIUS IPs, anonymous identity format, SCEP URL, cert requirements, example auth screenshots
-
Export Windows 11 EAP-TEAP XML config for reference
-
Verify no Windows endpoints still on legacy MSCHAPv2
-
Working sessions with each platform owner
-
Per-platform EAP-TLS profile push, SCEP enrollment, legacy profile removal
-
ISE validation after each platform deploys
-
Disable MSCHAPv2 allowed protocol after all platforms migrated
Business Justification
MSCHAPv2 weaknesses:
-
Vulnerable to offline dictionary attacks
-
NTLM hash can be cracked if captured
-
No mutual authentication by default
-
Credentials exposed during authentication
EAP-TLS/EAP-TEAP benefits:
-
Strongest wireless/wired security
-
Mutual authentication (client + server)
-
No credentials transmitted over the air
-
Revocation capability via CRL/OCSP
Related Documentation
-
ise-windows::partials/eaptls-vs-mschapv2-comparison.adoc[EAP-TLS vs MSCHAPv2]
-
Cisco ISE EAP-TLS Configuration Guide
-
Intune Certificate Deployment
-
JAMF PKI Certificates
Sub-Pages
-
Data Shape Analysis - Comprehensive schema analysis of all ISE datasets (7 files, 2 environments)
-
Planning - Migration waves, timeline, stakeholders
-
Implementation - ISE policy changes, monitoring, progress
-
Decisions & Risks - Decision log, risks, rollback
Metadata
| Field | Value |
|---|---|
PRJ ID |
PRJ-CHLA-MSCHAPV2-MIGRATION |
Author |
Evan |
Date Created |
2026-03-16 |
Last Updated |
2026-03-16 |
Status |
10% Complete |
Next Review |
2026-04-01 |