RE: Using PEAP and WinXP
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of simon@434canada.com Sent: Wednesday, May 24, 2006 3:02 PM To: freeradius-users@lists.freeradius.org Subject: Using PEAP and WinXP
Hi,
I have a question regarding the setup for the WinXP client when using PEAP. Does one always need to go into the properties for the AP and configure which servers to connect to or which root certification authorities are trusted? What I mean is, whether you produced a server certificate yourself and imported that CA onto the client machine, or whether you had a certificate signed by someone like Verisign, you would need to check the corresponding CA within the list.
It's my understanding that this is to prevent a man in the middle attack. Someone could easily setup a rouge AP, with a RADIUS Server. Since your requiring the server to identify itself (Via the Cert) you could detect this, and prevent it.
What Michael said is correct. By default, the Windows XP supplicant will verify the certificate against its list of known trusted root CAs. Without specifying both a trusted CA and the certificate CN (usually a hostname), then an attacker could get a cert from another trusted CA or one from the same CA with a different CN. Say for instance I have a network that uses a certificate from MyRootCA with CN 8021x.example.com using SSID example_ssid. An attacker could set up their own AP somewhere in the vacinity of your users using the same ESSID (example_ssid) causing users to associate with their AP. 802.1x is designed to keep users from further connecting that network by verifying the authenticity of that network. If the rogue AP uses a cert from OtherCA with a CN of 802.1x.example.com and both MyRootCA and OtherCA are known roots already existing in the default Windows cert list, then a user not checking the cert signer against the trusted signer, all known signers are trusted meaning that OtherCA is trusted as a signer and the rogue AP now has your user's connection. In addition, if you're checking the CA list but not the CN, then the attacker could obtain a cert from MyRootCA with the CN of 8021x.attacker.com. Since you're not checking the CN and MyRootCA is the trusted signer, then the cert is trusted and, again, the attacker has your user's connection. So, for truly secure mutual authentication, you must specify both the trusted CA and the CN in the supplicant. --Mike On May 24, 2006, at 3:34 PM, King, Michael wrote:
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of simon@434canada.com Sent: Wednesday, May 24, 2006 3:02 PM To: freeradius-users@lists.freeradius.org Subject: Using PEAP and WinXP
Hi,
I have a question regarding the setup for the WinXP client when using PEAP. Does one always need to go into the properties for the AP and configure which servers to connect to or which root certification authorities are trusted? What I mean is, whether you produced a server certificate yourself and imported that CA onto the client machine, or whether you had a certificate signed by someone like Verisign, you would need to check the corresponding CA within the list.
It's my understanding that this is to prevent a man in the middle attack. Someone could easily setup a rouge AP, with a RADIUS Server. Since your requiring the server to identify itself (Via the Cert) you could detect this, and prevent it.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
participants (2)
-
King, Michael -
Michael Griego