Educause Security Discussion mailing list archives
Re: Wireless WPA2 MSCHAPv2
From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Tue, 31 Jul 2012 13:21:05 -0400
What happens in the case of having multiple SSIDs across campus but a single (set) of radius controllers? Does each SSID have to point to a different radius name??? On 07/31/2012 12:50 PM, Justin Azoff wrote:
On Tue, Jul 31, 2012 at 12:27:28PM -0400, Steve Bohrer wrote:I still think WPA should have been designed to require the certificate to match the SSID, not the radius server hostname :-)Joking, I hope? Not sure how much weight to give your :-). In the above case, I really want our users to know that they have to look for a specific "simons-rock.edu" certificate before they submit their password to any RADIUS server. If the certificate merely has to match the SSID, I don't know how to prevent the case above.To me it makes sense that the SSID would be wpa.simons-rock.edu I've always thought the way WPA works is the same as if https certificates were for the IP address of the server and not the hostname. Imagine if a user connects to https://simons-rock.edu but the browser only verifies that the certificate subject matches the ip address from DNS. What I think makes a lot more sense is that a user would connect to an SSID for wpa.school.edu and the cerficicate would have to match wpa.school.edu. Since a random attacker can not obtain a valid certificate for wpa.school.edu this would be more secure.Moreover, with eduroam, I really want one of our professors who is getting online from far away to know that it is a problem if they are presented with any server certificate except ours. If the cert merely had to say "eduroam", and could be issued to anyone who might be running an eduroam AP, I don't think it would have much value. With the current server-name system, once our users have accepted our RADIUS server's cert here on campus, they can connect to any proper eduroam site with no changes, so if they do get _any_ cert popup it indicates a problem.Eduroam does complicate things, that's the only time I can think of where the user connects to a SSID but they actually see a radius server that is not directly associated with the SSID.
Current thread:
- Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)