Educause Security Discussion mailing list archives

Re: Wireless WPA2 MSCHAPv2

From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Tue, 31 Jul 2012 13:21:05 -0400

What happens in the case of having multiple SSIDs across campus but a
single (set) of radius controllers?

Does each SSID have to point to a different radius name???

On 07/31/2012 12:50 PM, Justin Azoff wrote:

On Tue, Jul 31, 2012 at 12:27:28PM -0400, Steve Bohrer wrote:

I still think WPA should have been designed to require the certificate
to match the SSID, not the radius server hostname :-)


Joking, I hope? Not sure how much weight to give your :-).

In the above case, I really want our users to know that they have to
look for a specific "simons-rock.edu" certificate before they submit
their password to any RADIUS server. If the certificate merely has
to match the SSID, I don't know how to prevent the case above.


To me it makes sense that the SSID would be wpa.simons-rock.edu
I've always thought the way WPA works is the same as if https
certificates were for the IP address of the server and not the hostname.


Imagine if a user connects to https://simons-rock.edu but the browser
only verifies that the certificate subject matches the ip address from
DNS.

What I think makes a lot more sense is that a user would connect to an
SSID for wpa.school.edu and the cerficicate would have to match
wpa.school.edu.  Since a random attacker can not obtain a valid
certificate for wpa.school.edu this would be more secure.

Moreover, with eduroam, I really want one of our professors who is
getting online from far away to know that it is a problem if they
are presented with any server certificate except ours. If the cert
merely had to say "eduroam", and could be issued to anyone who might
be running an eduroam AP, I don't think it would have much value.
With the current server-name system, once our users have accepted
our RADIUS server's cert here on campus, they can connect to any
proper eduroam site with no changes, so if they do get _any_ cert
popup it indicates a problem.


Eduroam does complicate things, that's the only time I can think of
where the user connects to a SSID but they actually see a radius server
that is not directly associated with the SSID.

Current thread:

Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Rich Graves (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)