With Microsoft deprecating MS-CHAP and NTLM, it’s time for enterprise networks to switch to a more secure authentication method: TTLS.
Microsoft is finally deprecating its 30-year-old MS-CHAP and NTLM protocols, 14 years after the company recommended against using NTLM in applications. What does that mean for corporate networks?
It means it’s time to wean ourselves off this tried-and-true method. The main use of the legacy protocols is to authenticate users via MS-CHAP or PEAP/MS-CHAP, against Active Directory. This use of the protocol is not visible to end users, but it is a continuing source of pain to RADIUS administrators.
Version 2 of NTLM (New Technology LAN Manager) has been around since 1996 in Windows NT. Since 2010, Microsoft no longer recommends using NTLM for good reason, it’s insecure, and has been broken for over a decade. Anyone who can see an NTLM exchange on the network can reverse it to get the users password. That’s a bad security hole. Moving to a management VLAN helps a little bit, but it’s not the ideal solution.
The problem is that historically, Microsoft also limited EAP methods to pretty much EAP-TLS, EAP-MSCHAPv2, and PEAP/MS-CHAPv2. EAP-TLS is seen as hard to configure, so everyone who used EAP with Windows deployed PEAP/MS-CHAPv2. That limitation then meant that the only way to authenticate those users was to run NPS, or use NTLM to talk to Active Directory.
The result is that NTLM is pervasive. Replacing a protocol like this will break legacy protocols like MS-CHAP and PEAP, but it’s time to bite the bullet. Many IT departments have had this on their list of “nice but not necessary” projects for several years. Windows 11 is now deprecating MS-CHAP entirely, and in some cases won’t even let you enable EAP-MSCHAPv2, or PEAP/MS-CHAPv2!
Microsoft has said that the Negotiate protocol will replace NTLM, but that doesn’t help RADIUS administrators. Instead, we suggest switching to PAP and EAP-TTLS in order to avoid NTLM entirely.
We have always recommended using PAP instead of CHAP or MS-CHAP. We have an article explain in detail why you never want to use CHAP or MS-CHAP, and why PAP is always better. (https://networkradius.com/articles/2022/04/11/is-pap-secure.html)
Can I disable NTLM?
A bit of background: Active Directory is Microsoft’s solution for corporate IT. It handles Identity management, who you are, which departments you belong to, and what your password is. Microsoft allows its applications to query Active Directory for the information they need. Being Microsoft, their own applications like NPS have special privileges to query Active Directory in a way that FreeRADIUS can’t.
But non-Windows applications still need a method to interact with Active Directory. For networks using RADIUS, the NTLM protocol was the only way to work with Windows to authenticate users. That’s now going away, so what’s next?
In our experience, you can disable NTLM and move away from MS-CHAP and PEAP to EAP-TTLS with inner PAP instead. It’s not “just as secure” as PEAP/MS-CHAPv2, it’s more secure. When MS-CHAP is used, the passwords must be stored in Active Directory (or Azure / Entera ID) as clear-text. This means any data breach is catastrophic: an attackers gets all passwords for all users.
In contrast, when TTLS+PAP is used, the passwords are stored securely “at rest” in the database. And you shouldn’t worry about the “PAP” portion of TTLS. The password there is secured using the same method (TLS) that you use to log into any web site. So if you have every typed your password into a web form (Facebook, Microsoft Outlook, etc.), you shouldn’t be worried about TTLS: it’s exactly the same.
EAP-TTLS is frequently used in enterprises and education organizations to provide secure authentication for wireless networks. It supports multiple “inner” authentication methods (not just PAP!) and uses TLS to secure communication between the supplicant and the RADIUS server.
Deprecating NTLM is a Microsoft power play
Windows has historically mainly supported PEAP authentication for WiFi access or wired network access with authentication. PEAP supports a small number of inner methods, but the most common is EAP-MSCHAPv2. The result was that only way for all the pieces to be compatible in a non-Windows authentication request was to take the MS-CHAP data and send it over NTLM to Active Directory.
As people are running into problems with the Microsoft-backed PEAP technology, Microsoft is deprecating all of the pieces related to PEAP and MS-CHAP in Windows 11.
This is why we always recommend using PAP instead of MS-CHAP. It gives you control over your data.
We have strong opinions regarding these two options. Of the many authentication protocols, we generally recommend PAP. It is compatible with all known back-end databases and has no known security issues. We have written extensively about the strengths of PAP vs. MS-CHAP (Is PAP secure?, MS-CHAP is Dead). While you can find other opinions on the net, a careful check shows that they all share common flaws. Each article claiming “CHAP is more secure than PAP” is little more than a cut & paste of similar articles going back decades. Even worse, those articles are written by people who have no experience in network security.
Our recommendation to use PAP is based on decades of network security expertise, by experts who have written many of the standards in the space. As such, we think your network will be make more secure by following the advice of security experts, instead of the advice of random journalists.
Using TTLS+PAP means not only that your network is more secure, it also means that you can avoid MS-CHAP and NTLM entirely, which means you can continue to use Active Directory and Entera ID. When FreeRADIUS checks the password against AD or Entera ID, it uses (again) the industry standard TLS protocol, which is secure.
As people are running into problems with the Microsoft-backed PEAP technology, Microsoft is deprecating all the pieces that make it work. Microsoft clearly thinks this will make people more closely tied to their products, but we believe a switch to TTLS will help everyone. All modern systems including Windows support TTLS, so it is the best choice for authenticating users via passwords.
It’s time to replace NTLM
Microsoft’s decision imposes a deadline on an upgrade many IT departments were in no hurry to complete. In Microsoft’s own words: “Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.”
What Microsoft doesn’t say here is that PEAP/MS-CHAP doesn’t work with Kerberos, and will never work with Kerberos. The design of the two protocols means that the authentication credentials supplied by MS-CHAP are fundamentally incompatible with Kerberos.
In conclusion. we recommend that everyone switch their Windows systems from PEAP/MS-CHAPv2 to using TTLS with inner method PAP. Doing so will enable the network to keep working with minimal disruption. We have worked all of those protocols in enterprise settings and at ISPs. If you run into a glitch while disabling NTLM, ask us. Chances are we've run into it before, and we can solve the problem with minimal fuss.
Need help?
At InkBridge Networks, we've spent decades helping educational institutions build resilient, secure campus networks that balance academic freedom with robust protection. Our team includes engineers who have implemented AAA solutions for some of the world's largest university systems and contributed to the protocols that power global academic networks like eduroam. If your institution is facing network challenges or planning infrastructure updates, explore our solutions for educational institutions or request a quote for your specific needs.
Related Articles
Is NTLM secure?
While Active Directory is widely used, it has still uses insecure protocols such as NTLM. The important question many people ask is “Does turning off NTLM increase security”? The answer is “maybe”, or “it depends”, or even “no”. In order to understand these conflicting answers, we have to take a step back, and look at how (and why) NTLM is used.
How to connect FreeRADIUS to Active Directory for authentication
Active Directory is widely used in the enterprise and university systems. This article describes how to connect FreeRADIUS with Active Directory, allowing you to authenticate users against your existing directory service while leveraging the power of your RADIUS server for network access control.