Android Client working on WPA2 PEAP without certificate loaded

Unanswered Question
Sep 16th, 2010

I am trying to figure out why the andriod phone will work on our Cisco WPA2 Enterprise PEAP wireless when we use a custom internal certificate for authentication with our Cisco 1200 series AP's, ACS 4.x, and AD user group/accounts. 

The certificate is not loaded on the client, nor from what I learned is very difficult to import for use when trying to install a MS generated certificate

I did debugs between my regular Domain computer which has the domain certificate, and the Andriod and collected captures; see attachment tabs.

I do see that the certificate is used somehow and I do see what looks like a ldap lookup.

See the attached xls sheet with a debug tab for each the PC and the android.

I stripped out any sensitive account/domain info for viewing.

I'm not sure if this is a potential security loophole or not and welcome a discussion on this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Stephen Rodriguez Thu, 09/16/2010 - 08:22

PEAP does not require the cleint side to have a certificate.  That is a per client configuration if it is going validate the servers certificate or not.

klose Thu, 09/16/2010 - 08:57

Really?

Its been a long time since I set this up and tested this and understood all the components. I just read up on it again and it appears your correct that PEAP only requires the server (ACS) side cert and the users credentials are protected during logon within MSCHAPv2.

If I recall, When I set up our enviroment, we had to install our domain cert on Pocket PC's (warehouse scanners), to get them to work with PEAP as the cert was not from a default trusted publisher. I don't understand why this was an issue then. Any ideas?

Our AD client computers all get the root cert by default, and all we do is push the wireless setting to the client by GP.

I was under the impression that we were protected by the client requiring the domain cert, and that pocket PC's, and other rogue wireless devices would not work without them. So how to best control rogue devices without using some NAP system?

Stephen Rodriguez Thu, 09/16/2010 - 09:01

Some devices, I had a Samsung i760 for example, that the default registry settings enforced having the certificate.  By running a utility to reg-hack, I was able to change this to not require the CA cert, as it was a real pain to get the cert installed and recognized.

So I would think it might be the same thing for the scanners, if you were to check the registry under EAP type 25 would be a 1, but I don't know for sure.

If you are trying to keep rogue devices of the network, you might be able to set ACS to check for the machine account as well, this then limits non-domain devices from getting on.

klose Thu, 09/16/2010 - 12:59

Thats a coincidence,

I had the same smart phone, but managed to put the certificate onto it with no issues.

Do you recall the details on the exactly what reg key?  That would be real usefull.

I have not experimented with using computer accounts to control access.

Before I dig into it....can you use both user/group authentication AND machine or is it either or?

Currently we use a user group + Dial up permissions to permit Wireless access via Radius/ACS

I guess I could use a computer group, rather than a user group.

any tips on this would be appreciated.

Thanks

Actions

This Discussion

 

 

Trending Topics - Security & Network