Phase 3: MSCHAPv2 Sunset

Overview

Final phase: completely disable MSCHAPv2 and enforce certificate-based authentication.

Prerequisites

Phase 1 complete: All managed devices on EAP-TLS
Phase 2 complete: BYOD devices on EAP-TEAP with certs
MSCHAPv2 usage < 5% of authentications
Executive approval for enforcement

Pre-Sunset Verification

Remaining MSCHAPv2 Users

SELECT DISTINCT USERNAME, CALLING_STATION_ID, NAS_IP_ADDRESS
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_PROTOCOL = 'EAP-MSCHAPv2'
AND TIMESTAMP_TIMEZONE > SYSDATE - 30
ORDER BY USERNAME

Contact Remaining Users

Export list of remaining MSCHAPv2 users
Send final warning email
Offer help desk support for certificate enrollment
Set firm deadline

Enforcement Steps

Step 1: Warning Period (1 week)

Configure CoA for MSCHAPv2 users:

Authorization Policy:
Rule: MSCHAPv2-Warning
Condition: Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
Result:
  - VLAN: Warning
  - Redirect to enrollment portal
  - Reauthentication timer: 4 hours

Step 2: Disable MSCHAPv2

Navigate to Policy > Policy Elements > Allowed Protocols
Edit protocol policy
Uncheck:
- Allow EAP-MSCHAPv2
- Allow PEAP with MSCHAPv2 inner

Step 3: Monitor

-- Should return 0 rows
SELECT COUNT(*)
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_PROTOCOL LIKE '%MSCHAP%'
AND TIMESTAMP_TIMEZONE > SYSDATE - 1

Rollback Procedure

If critical business impact:

# 1. Re-enable MSCHAPv2 in Allowed Protocols
# 2. Remove warning/deny policies
# 3. Communicate timeline extension

Post-Sunset

Documentation Update

Update security policies
Archive MSCHAPv2 configuration
Document lessons learned

Compliance Reporting

-- Certificate-based auth percentage
SELECT
  SUM(CASE WHEN AUTHENTICATION_PROTOCOL = 'EAP-TLS' THEN 1 ELSE 0 END) * 100.0 /
  COUNT(*) as CERT_PERCENTAGE
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30

Success Criteria

0% MSCHAPv2 authentications
100% certificate-based authentication
No unauthorized access incidents
Compliance requirements met