Securing wireless network with PEAP/MSCHAP may require Windows AD


PEAP/MSCHAP is by far the most popular method for authenticating wireless clients using 'domain' credentials. The main reason of its popularity is its the native support in Windows XP and beyond. However, the use of PEAP/MSCHAP should not be taken for granted. If you do not have Windows Active Directory, you probably need to look for other alternatives. This article explains why.


MSCHAP requires NT-hashed or cleartext passwords

The RADIUS server acting at the TLS tunnel endpoint is responsible of validating the user's credentials through an MSCHAP exchange. For this purpose it needs to have access to all user passwords passwords. The use of MSCHAP requires that the passwords in the database must be stored in clear text or in NT-hashed format.


Storing passwords in cleartext is not a good idea

The clear text alternative is not suitable for security reasons. Most password databases store hashed versions of user passwords. If a malicious user obtains the list of hashed passwords, he can not impersonate the user since the clear text password is needed in most protocol (MSCHAP,Kerberos, etc..) exchanges.


Nobody supports NT-hashed passwords except Windows AD

This represents a constraint on the database that can be used. For instance, LDAP, which is a very popular solution for storing user accounts, does not support the NT-hash. This means that using MSCHAP tunneling methods such as the popular PEAP/MSCHAP with an LDAP database is only possible if the passwords are stored in clear text. This constraint implies retracting the security level of the main users database which is not be a good idea.

The deployment of EAP methods tunneling MSCHAP is thus only suitable if the users database contains NT-hashed passwords. This restricts the use of such methods to infrastructures using MS Active Directory.


Conclusion

PEAP/MSCHAP requires that passwords to be stored in clear text or in NT-hash format. Only windows AD AFAIK can store NT-hashed passwords. What to do if you don't have Windows AD ? You have two options, store your passwords in clear text and assume the related risks or dont use PEAP/MSCHAP altogether, look for other methods such as EAP-TLS, a method that uses client certificates rather than domain credentials. But then you have to deal with maintaining a public key infrastructure (ouch).


References



Wireless Internet Security Performance RADIUS server Wireless Internet Security Performance RADIUS server