What should I use instead of MS-CHAP v2?
There's a new tool and service that makes it very easy to break MS-CHAP v2, which is used to secure VPNs. A good summary of the attach against MS-CHAP can be found at Ars Technica. Here's the way I currently have my VPN service running on Windows 2003 R2 SP2 configured:
Should or can I just go with EAP? My client machines that use the VPN are Windows-XP (a small number of machines which I could turn off), Windows 7, and iPads. I don't have any RADIUS routers or wifi or anything else that relies on the Windows VPN service. The EAP methods that my machine has are:
It's not actually very easy to break, and requires a man in the middle attack to work. If I read the exploit correctly - it would be near impossible to do outside a lab. Pretty much anything is breakable given enough time and energy. One thing I'd recommend is moving off Server 2003 (it is 2012...and Server 2012 is about to come out)...and at least looking at the SSTP VPN that's built into 2008 R2 server or look at directconnect as a solution. Others would be using something like a dedicated device such as a Cisco ASA 5510 and anyconnect. If you are protecting valuable data you are going to need to have a multi auth system as well - such as RSA secure ID fobs...just know that pretty much any solution is hackable though given the right conditions - what you are trying to do is make is a difficult as humanly possible.
PEAP protect authentication by SSL. If certificates verified it must be strong. http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol