Explanation:
EAP-MD5-Challenge, which is described in RFC 2284, enables a RADIUS server to authenticate a
connection request by verifying an MD5 hash of a user's password. The server sends the client a random challenge value, and the client proves its identity by hashing the challenge and its password with MD5. EAP-MD5-Challenge is typically used on trusted networks where the risk of packet sniffing or active attack are fairly low. Because of significant security vulnerabilities, EAPMD5-Challenge is not usually used on public networks or wireless networks, because third parties can capture packets and apply dictionary attacks to identify password hashes. Because EAPMD5-Challenge does not provide server authentication, it is vulnerable to spoofing (a third party advertising itself as an access point).By default, the EAP-MD5-Challenge password protocol is available for use by the Native and Unix authentication methods. In the first stage of PEAP authentication, the TLS channel is created between the PEAP client and the NPS server. The following steps illustrate how this TLS channel is created for wireless PEAP clients.
Reference: https://technet.microsoft.com/en-us/library/cc754179%28v=ws.10%29.aspx.
Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced. Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:
A minimum of ten characters
A mixture of uppercase and lowercase letters
At least one numeric character or one non-alphanumeric character (Example: !#@$%)
No form of the user's name or user ID
A word that is not found in the dictionary (domestic or foreign)
