Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
0
Helpful
7
Replies

PEAP username over the air

jamesgef
Level 1
Level 1

‎02-21-2007 01:37 PM - edited ‎07-03-2021 01:40 PM

I have a 4404 controller with 1010APs and deciding which EAP method to use. As I was analyzing this and sniffing wireless packets, username is sent in clear over the air when authenticating with PEAP.

I was somewhat surprised and thought that was one of the limitation of LEAP but not PEAP.

Is this normal behavior?

Thx!

James

Labels:
0 Helpful
7 Replies 7

misramanish
Level 1
Level 1

‎02-21-2007 03:38 PM

Interesting post! I'm debating between PEAP and EAP-FAST myself and am really surprised to hear that you were able to capture username from your sniffer.

What encryption method are you using, btw? TKIP, CCMP or AES? Of the three, I have heard that AES will provide highest encryption (which in theory should totally encrypt all user credentials).

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to misramanish

‎02-21-2007 05:46 PM

What 802.1X supplicant is at work here?

0 Helpful

jamesgef
Level 1
Level 1
In response to jafrazie

‎02-21-2007 06:44 PM

Controller is set only for WPA2 with AES encryption and 802.1x.

I'm using a Cisco Aironet a/b/g PCMCIA card using the Cisco Aironet utility (latest version) as my supplicant (not using windows configuration for wireless networks).

James

0 Helpful

jamesgef
Level 1
Level 1
In response to jamesgef

‎02-21-2007 06:46 PM

Just to provide more information, my profile in the Cisco Aironet Utility is configured for PEAP with MS-CHAP-v2.

James

0 Helpful

csannedhi
Level 1
Level 1
In response to jamesgef

‎02-26-2007 08:40 PM

Zhenning is correct. The encryption method has nothing to do with the 802.1x process. Until the authentication process is finished the unicast keys are not generated. All the data exchange gets encrypted using the generated keys after the authentication process.

0 Helpful

zhenningx
Level 4
Level 4

‎02-26-2007 07:56 AM

PEAP usernames can be sent in clear text or encrypted. By using windows native WZC config, the usersnames are in clear text. By using Intel supplicant, the PEAP usernames are encrypted as well. The capture only sees "anoymous" as the username.

Zhenning

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to zhenningx

‎02-26-2007 01:00 PM

Is MSCHAVPv2 or GTS being used as the inner method for ACU?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card