Educause Security Discussion mailing list archives
Re: Password Change/Reset for non domain users an 802.1x NAC setup
From: "tomasf () sfsu edu" <tomasf () SFSU EDU>
Date: Thu, 16 Nov 2017 23:25:03 +0000
Hello All, Just on the topic of MS-CHAPv2, Microsoft has posted advisories since 2012 when Moxie Marlinspike demonstrated at DEF CON 20 that MS-CHAPv2 only provides the security of single DES. As Jason mentioned, EAP-TLS is generally considered the most compatible and secure replacement, but it has the downside of needing client-side certificates for authentication. Microsoft Advisories: https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/ https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2743314 Moxie’s excellent talk on the topic of MS-CHAPv2: https://www.youtube.com/watch?v=gkPvZDcrLFk NIST withdrawing support for DES in 2005: https://tools.ietf.org/html/rfc6649#ref-DES-Withdrawal Best, -- Tomáš Furmánek Systems Administrator Academic Technology at San Francisco State University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Youngers Sent: Thursday, November 16, 2017 11:42 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Change/Reset for non domain users an 802.1x NAC setup Just a heads up that Microsoft is recommending a move away from MSCHAPv2 based connections. For those who are considering Credential Guard, I believe MSCHAPv2 is not supported and we must move to TLS. https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-considerations Thanks, Jason From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Francisco Chavez Sent: Tuesday, November 14, 2017 11:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password Change/Reset for non domain users an 802.1x NAC setup If you have 802.1x configured to use EAP-MSCHAPv2 (Microsoft) this will automatically prompt the user to update his/her password on the device. This method works for both Macs and PC’s. If someone forgot their password and couldn’t get into there account… you could set up a quarantine policy with the NAC that would have a walled garden with limited access to a password reset utility or similar service. I.E. VLAN (A) 802.1X VLAN (B) Quarantine VLAN (Walled Garden) Regards, - Francisco Chavez ----------------------------------------------------------------------------------- Francisco Chavez Manager, IT Security | Saint Mary's College of California 925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu> [cid:image001.jpg@01D35EEF.12A58B30] On Nov 14, 2017, at 7:42 AM, Ronald King <ronald.king () MORGAN EDU<mailto:ronald.king () morgan edu>> wrote: We have had a similar conundrum. It also impacts those that have had a password expire. Do you have a Quarantine VLAN the computer be moved to that allows access to whitelisted systems that include a password reset tool? Ronald A. King, CISSP Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu> Baltimore, MD 21251 URL: http://www.morgan.edu<http://www.morgan.edu/> Growing the future ... Leading the world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Tue, Nov 14, 2017 at 7:52 AM, Wessam Maher <0000001fe3498f17-dmarc-request () listserv educause edu<mailto:0000001fe3498f17-dmarc-request () listserv educause edu>> wrote: Hi All, I am willing to get suggestions on how to implement password change/reset on 802.1x NAC setup, for example if I am a student and my PC is not on domain and I forgot my password how can I login to change/reset my password while 802.1x network authentication can't allow me to get an IP to communicate initially..... Appreciate your suggestions Best Regards, Wessam Maher CGEIT, CRISC, CISSP Principal Campus Information Security Officer - PCISO Office of Information Technology The American University in Cairo E wessam.maher () aucegypt edu<mailto:wessam.maher () aucegypt edu> • T +2022615.3543 W www.aucegypt.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aucegypt.edu_&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=95gPdU_SrwcibT88BP3_cgRZ36_d_visw2Mx4HSzH8E&s=jtWqFqsnwBe1tXjFcA_Ua3TK85Cl7l0kFjX879y4gow&e=>
Current thread:
- Password Change/Reset for non domain users an 802.1x NAC setup Wessam Maher (Nov 14)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Ronald King (Nov 14)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Francisco Chavez (Nov 14)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Jason Youngers (Nov 16)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup tomasf () sfsu edu (Nov 16)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Francisco Chavez (Nov 14)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Ronald King (Nov 14)