Educause Security Discussion mailing list archives

Re: Password Change/Reset for non domain users an 802.1x NAC setup

From: "tomasf () sfsu edu" <tomasf () SFSU EDU>
Date: Thu, 16 Nov 2017 23:25:03 +0000

Hello All,

Just on the topic of MS-CHAPv2, Microsoft has posted advisories since 2012 when Moxie Marlinspike demonstrated at DEF 
CON 20 that MS-CHAPv2 only provides the security of single DES.
As Jason mentioned, EAP-TLS is generally considered the most compatible and secure replacement, but it has the downside 
of needing client-side certificates for authentication.

Microsoft Advisories:
https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2743314

Moxie’s excellent talk on the topic of MS-CHAPv2:
https://www.youtube.com/watch?v=gkPvZDcrLFk

NIST withdrawing support for DES in 2005:
https://tools.ietf.org/html/rfc6649#ref-DES-Withdrawal

Best,

--
Tomáš Furmánek
Systems Administrator
Academic Technology at San Francisco State University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason 
Youngers
Sent: Thursday, November 16, 2017 11:42
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Change/Reset for non domain users an 802.1x NAC setup

Just a heads up that Microsoft is recommending a move away from MSCHAPv2 based connections. For those who are 
considering Credential Guard, I believe MSCHAPv2 is not supported and we must move to TLS.

https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-considerations

Thanks,
Jason

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Francisco Chavez
Sent: Tuesday, November 14, 2017 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Change/Reset for non domain users an 802.1x NAC setup

If you have 802.1x configured to use EAP-MSCHAPv2 (Microsoft) this will automatically prompt the user to update his/her 
password on the device. This method works for both Macs and PC’s. If someone forgot their password and couldn’t get 
into there account… you could set up a quarantine policy with the NAC that would have a walled garden with limited 
access to a password reset utility or similar service.

I.E. VLAN (A) 802.1X
            VLAN (B) Quarantine VLAN (Walled Garden)


Regards,
- Francisco Chavez

-----------------------------------------------------------------------------------
Francisco Chavez
Manager, IT Security | Saint Mary's College of California
925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>

[cid:image001.jpg@01D35EEF.12A58B30]

On Nov 14, 2017, at 7:42 AM, Ronald King <ronald.king () MORGAN EDU<mailto:ronald.king () morgan edu>> wrote:

We have had a similar conundrum. It also impacts those that have had a password expire. Do you have a Quarantine VLAN 
the computer be moved to that allows access to whitelisted systems that include a password reset tool?

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                Office: (443) 
885-3372
1700 E. Cold Spring Ln.                                                                                Email:           
   ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                       URL:   
http://www.morgan.edu<http://www.morgan.edu/>

                                          Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Tue, Nov 14, 2017 at 7:52 AM, Wessam Maher <0000001fe3498f17-dmarc-request () listserv educause 
edu<mailto:0000001fe3498f17-dmarc-request () listserv educause edu>> wrote:
Hi All,

I am willing to get suggestions on how to implement password change/reset on 802.1x NAC setup, for example if I am a 
student and my PC is not on domain and I forgot my password how can I login to change/reset my password while 802.1x 
network authentication can't allow me to get an IP to communicate initially.....

Appreciate your suggestions


Best Regards,

Wessam Maher CGEIT, CRISC, CISSP
Principal Campus Information Security Officer - PCISO
Office of Information Technology
The American University in Cairo
E wessam.maher () aucegypt edu<mailto:wessam.maher () aucegypt edu> •  T +2022615.3543
W 
www.aucegypt.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aucegypt.edu_&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=95gPdU_SrwcibT88BP3_cgRZ36_d_visw2Mx4HSzH8E&s=jtWqFqsnwBe1tXjFcA_Ua3TK85Cl7l0kFjX879y4gow&e=>

Current thread:

Password Change/Reset for non domain users an 802.1x NAC setup Wessam Maher (Nov 14)
- Re: Password Change/Reset for non domain users an 802.1x NAC setup Ronald King (Nov 14)
  - Re: Password Change/Reset for non domain users an 802.1x NAC setup Francisco Chavez (Nov 14)
    - Re: Password Change/Reset for non domain users an 802.1x NAC setup Jason Youngers (Nov 16)
    - Re: Password Change/Reset for non domain users an 802.1x NAC setup tomasf () sfsu edu (Nov 16)