Check your WPA2 Enterprise setup

[Ludwig Nussel <ludwig.nussel () suse de>]

Hi,

Recently I had to explain to a friend why turning off certificate
checks for wireless networks that use WPA2 Enterprise methods for
authentication is a bad idea. Unfortunately merely enabling some
checkbox in the UI isn't necessarily sufficient either. If the
RADIUS server uses a certificate signed by a public CA one can
easily forget to apply additional constraints (e.g. matching
subject, common name etc) to restrict acceptable certificates.
Failure to set such constraints allows anyone with a valid domain to
forge the wireless network and impersonate the RADIUS server. That
finding isn't exactly new, yet it's hardly mentioned anywhere. So
I've decided to write a paper¹ about it.

I've also contacted NetworkManager upstream since NetworkManager's
certificate handling is rather limited. Using NetworkManager for
WPA2 Enterprise is basically only safe if a private CA is used.
It's planned but not a priority for them to improve the situation.

So if you are using WPA2 Enterprise better check your setup.

cu
Ludwig

[1] http://www.suse.de/~lnussel/The_Evil_Twin_problem_with_WPA2-Enterprise_v1.1.pdf

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)