02-21-2007 01:37 PM - edited 07-03-2021 01:40 PM
I have a 4404 controller with 1010APs and deciding which EAP method to use. As I was analyzing this and sniffing wireless packets, username is sent in clear over the air when authenticating with PEAP.
I was somewhat surprised and thought that was one of the limitation of LEAP but not PEAP.
Is this normal behavior?
Thx!
James
02-21-2007 03:38 PM
Interesting post! I'm debating between PEAP and EAP-FAST myself and am really surprised to hear that you were able to capture username from your sniffer.
What encryption method are you using, btw? TKIP, CCMP or AES? Of the three, I have heard that AES will provide highest encryption (which in theory should totally encrypt all user credentials).
02-21-2007 05:46 PM
What 802.1X supplicant is at work here?
02-21-2007 06:44 PM
Controller is set only for WPA2 with AES encryption and 802.1x.
I'm using a Cisco Aironet a/b/g PCMCIA card using the Cisco Aironet utility (latest version) as my supplicant (not using windows configuration for wireless networks).
James
02-21-2007 06:46 PM
Just to provide more information, my profile in the Cisco Aironet Utility is configured for PEAP with MS-CHAP-v2.
James
02-26-2007 08:40 PM
Zhenning is correct. The encryption method has nothing to do with the 802.1x process. Until the authentication process is finished the unicast keys are not generated. All the data exchange gets encrypted using the generated keys after the authentication process.
02-26-2007 07:56 AM
PEAP usernames can be sent in clear text or encrypted. By using windows native WZC config, the usersnames are in clear text. By using Intel supplicant, the PEAP usernames are encrypted as well. The capture only sees "anoymous" as the username.
Zhenning
02-26-2007 01:00 PM
Is MSCHAVPv2 or GTS being used as the inner method for ACU?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide