Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?

L.S,

For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.

If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.

Is there still a safe way to deploy AD-authentication to BYOD clients?

Kind Regards,

Arjen

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

You've just described the

You've just described the biggest issue with PEAP (MS-CHAPv2) deployments. Best practice should be RADIUS server certificate signed by an enterprise CA (i.e., not a public CA). Client should be configured to validate server certificate (Root CA must be installed on all clients) AND check RADIUS server names against a pre-populated list. The security of the network decreases from there. Worst case would be not checking server certificate at all. At that point, grabbing the MS-CHAPv2 handshake is trivial.

2 REPLIES
New Member

You've just described the

You've just described the biggest issue with PEAP (MS-CHAPv2) deployments. Best practice should be RADIUS server certificate signed by an enterprise CA (i.e., not a public CA). Client should be configured to validate server certificate (Root CA must be installed on all clients) AND check RADIUS server names against a pre-populated list. The security of the network decreases from there. Worst case would be not checking server certificate at all. At that point, grabbing the MS-CHAPv2 handshake is trivial.

New Member

I have tested the WPA2

I have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.

Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :(

 

2284
Views
0
Helpful
2
Replies
CreatePlease to create content