Educause Security Discussion mailing list archives
Re: Wireless WPA2 MSCHAPv2
From: Joseph N Kurtin <joseph.kurtin () NORTHWESTERN EDU>
Date: Thu, 2 Aug 2012 11:39:53 +0000
Hi, All. It's been stated already in this thread that if your clients are configured to validate the public certificate of the host that terminates your PEAP connection, you're likely in good shape*, but I wanted to add a little description to explain why. PEAP is designed such that if an 802.1x supplicant sees a problem and chooses not to build the TLS tunnel, the MSCHAP exchanges will not begin at all. Digging a little deeper, The PEAP tunnel is a TLS tunnel between a client and RADIUS server (or something else if you're terminating PEAP on your wireless controller, AP, etc...) built in order to allow for a secure exchange of credential information, MSCHAP or otherwise. After this tunnel is built, a negotiation takes place within the tunnel between the 802.1x supplicant and a AAA server to pick an inner authentication protocol. Next, the negotiated credential comparison (MSCHAPv2 in our case) is done within the same tunnel. This is also why attributes sometimes need to be handed back outside the tunnel in some environments--the wireless infrastructure can be unaware of portions of the conversation between the supplicant and AAA server. -Joseph *Most deployments terminate PEAP directly on the RADIUS server, but if you terminate PEAP on a different device, your risk is now increased if the path between your PEAP termination and RADIUS server is not secured. On 7/31/12 6:36 PM, "Steve Bohrer" <skbohrer () SIMONS-ROCK EDU> wrote:
On Jul 31, 2012, at 8:58 AM, Parker, Ben C wrote:Reading through the news, I saw that at Defcon MSCHAPv2 has been effectively compromised. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/This includes the use of it in WPA2 connections to radius servers for authentication. Per the article, the current recommendation for enterprise wireless deployments is to move to using client certificates for authentication.I'm over my head on crypto stuff, but in discussion about this crack on slashdot ( http://science.slashdot.org/story/12/07/30/167210/new-moxie-marlinspike-to ol-cracks-crypto-passwords ) a couple of commenters suggest that the PEAP layer of PEAP- MSCHAPv2 802.1x wireless auth protects the MSCHAPv2 from the sort of sniffing that this crack exploits. Here's quotes from two comments: From http://science.slashdot.org/comments.pl?sid=3014645&cid=40821639 : "For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server)." From http://science.slashdot.org/comments.pl?sid=3014645&cid=40822837 : "Those eduroam sites that use MSCHAPv2 use PEAP-MSCHAPv2. You have to crack the PEAP before you can crack the MSCHAPv2." Any of the experts here wish to confirm or deny if PEAP-MSCHAPv2 is still okay in the face of this new tool? Thanks, Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645
Current thread:
- Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)