On Nov 22, 2019, at 12:14 PM, Nik Mitev <nik@mitev.co.uk> wrote:
I was looking at this article about the sycophant attack https://sensep ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the success of it reportedly hangs on whether cryptobinding is enforced or not.
On NPS it is not enforced by default, but there is a "Disconnect clients without cryptobinding" setting that can be enabled.
Can anyone confirm what is the FR default on cryptobinding and whether it can be changed in configuration? If it is not enabled by default, can it be enabled? If it is enabled by default, can it be disabled - inadvertently of on purpose.
There is no standard for cryptographic binding for PEAP. If you can find one, we're happy to implement it. There is a standard for TTLS, and FreeRADIUS enforces it by default. See: https://tools.ietf.org/html/rfc5281#section-11.1 There is no way to disable it for TTLS. Alan DeKok.