Re: Wireless WPA2 MSCHAPv2

[Steve Bohrer <skbohrer () SIMONS-ROCK EDU>]

On Jul 31, 2012, at 12:00 PM, Justin Azoff wrote:

> AFAIK, if you have people spoofing your SSID and running rogue
> authentication servers any weakness in MSCHAPv2 is the least of your
> problems..

I don't have 100% campus wifi coverage, so, it seems it would not take  
much for a student in a sparsely covered area to hook a home AP to a  
linux box running FreeRADIUS, and broadcast an SSID matching the  
college network's. Our server's certificate is our only defense  
against that, as there are areas where I don't have the coverage to  
detect or block such systems. (Obviously I need lots more money for  
campus wireless coverage, so I can blanket any rogues in the vicinity!)

But you certainly are correct, if such a student can get people to  
authenticate to their server, they'd have no need to bother with  
cracking MSCHAPv2.

> I still think WPA should have been designed to require the certificate
> to match the SSID, not the radius server hostname :-)

Joking, I hope? Not sure how much weight to give your :-).

In the above case, I really want our users to know that they have to  
look for a specific "simons-rock.edu" certificate before they submit  
their password to any RADIUS server. If the certificate merely has to  
match the SSID, I don't know how to prevent the case above.

Moreover, with eduroam, I really want one of our professors who is  
getting online from far away to know that it is a problem if they are  
presented with any server certificate except ours. If the cert merely  
had to say "eduroam", and could be issued to anyone who might be  
running an eduroam AP, I don't think it would have much value. With  
the current server-name system, once our users have accepted our  
RADIUS server's cert here on campus, they can connect to any proper  
eduroam site with no changes, so if they do get _any_ cert popup it  
indicates a problem.


Steve Bohrer
Network Admin
Bard College at Simon's Rock
413-528-7645