Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Security attacks on 802.1x

I saw this from another mailing list. We now have a many AP's installed at our HQ. While the Cisco solution seemed to be the best solution when I started researching; how worried should I be now?

Did you see the new posting about the flaws in 802.1X?

Follow this link,

http://www.linuxsecurity.com/articles/network_security_article-4457.html

5 REPLIES
Bronze

Re: Security attacks on 802.1x

Community Member

Re: Security attacks on 802.1x

These two articles aren't related to the same vulnerability. The U of M paper describes problems with the proposed 802.1x security features such as session-hijacking and man-in-the-middle attacks.

As far as the risk or level of concern; the potential for serious damage is there, but this type of attack requires some effort and isn't likely to be seen outside of a contrived attack. If you think your organization is at risk for targeted attacks, you might consider IPSEC over wireless or just don't use wireless at all.

Community Member

Re: Security attacks on 802.1x

If you enabled the MIC, WEP Key Hashing, LEAP using RADIUS, your WLAN is secure!

To enabled all security features you must upgrade to the latest NDIS, Firmwares, and ACU.

Audie

Community Member

Re: Security attacks on 802.1x

The article in question talks about man-in-the-middle attacks that are possible even with 802.1x enabled. The problem is that 802.1x does not provide two-way authentication or security association (rogue access-points).

I don't think that this type of problem is likely to be widely exploited, but it isn't fair to say that 802.1x makes your WLAN secure.

Community Member

Re: Security attacks on 802.1x

Allow me to clarify, WLAN is secure using Cisco LEAP (expensive), MIC, WEP Key Hashing, Dynamic Session Key, and Non-Broadcast SSID.

The ACS RADIUS authentication give two-way authentication, and MIC/WEP hashing/Dynamic Key Session will stop man-in-the-middle and session hijacking attacks. I'm not even surprise if NSA can not break-in aside from brute force decrypting the 128-bit Dynamic Session Key.

Audie Onibala

349
Views
0
Helpful
5
Replies
CreatePlease to create content