Am 11.07.24 um 17:00 schrieb Marco Gaiarin:
MSCHAPv2 is listed as 'vulnerable', but also EAP is 'not vulnerable'. This confuse me because i supose(d) that MSCHAPv2*need* EAP, so...
Take some extra care when reading the docs, e.g. https://www.ietf.org/archive/id/draft-ietf-radext-deprecating-radius-02.html MS-CHAPv2 itself (and all of its predecessors) can be used to teach how NOT to do Challenge-Response-Authentication. In contrast, MS-CHAPv2 wrapped in a secure TLS Tunnel (such as with PEAP) can be implemented safely, provided the tunnel setup is done right. So to be used in any productive way, MS-CHAPv2 "needs" EAP. Not because MS-CHAPv2 on its own is technically impossible, but rather because it would be terribly insecure. All "EAP carrying TLS messages" scenarios should be OK with respect to Blast RADIUS. The biggest problem with these scenarios are client devices that don't properly validate the peer's identity, i.e. 802.1X/802.11i certificate. This has happened most often with BYOD devices, especially Android, but that's a different story. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg