MSCHAPv2 to Certificate Migration

Executive Summary

Password-based 802.1X (MSCHAPv2) presents significant security risks:

  • Credential theft via phishing

  • Relay attacks

  • Brute force attacks

  • No device attestation

This guide provides a phased approach to migrate to certificate-based authentication.

Migration Phases

Phase Scope Method Timeline

Phase 1

Managed devices (domain-joined)

EAP-TLS

Weeks 1-4

Phase 2

BYOD devices

EAP-TEAP (cert + password fallback)

Weeks 5-8

Phase 3

MSCHAPv2 sunset

Policy enforcement

Week 9+

Success Criteria

  • 100% managed devices on EAP-TLS

  • BYOD devices using EAP-TEAP

  • MSCHAPv2 disabled in allowed protocols

  • No password-based authentications in logs

Risk Mitigation

Fallback Strategy

During transition, maintain ability to:

  • Re-enable MSCHAPv2 if critical issues

  • Extend timelines if adoption too slow

  • Provide help desk support for certificate issues

Communication Plan

  1. IT Staff: Training on certificate troubleshooting

  2. End Users: Email notification of changes

  3. Help Desk: Updated runbooks for cert issues

Phases

Metrics

Tracking Progress

-- Authentication method distribution
SELECT AUTHENTICATION_PROTOCOL, COUNT(*) as AUTH_COUNT
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
GROUP BY AUTHENTICATION_PROTOCOL
ORDER BY AUTH_COUNT DESC

Target State

EAP-TLS:      70%+  (managed devices)
EAP-TEAP:     25%   (BYOD with certs)
MSCHAPv2:     <5%   (transition, declining)
→ MSCHAPv2:   0%    (final state)