Using PEAP and WinXP
Michael Griego
mgriego at utdallas.edu
Thu May 25 04:18:43 CEST 2006
What Michael said is correct. By default, the Windows XP supplicant
will verify the certificate against its list of known trusted root
CAs. Without specifying both a trusted CA and the certificate CN
(usually a hostname), then an attacker could get a cert from another
trusted CA or one from the same CA with a different CN.
Say for instance I have a network that uses a certificate from
MyRootCA with CN 8021x.example.com using SSID example_ssid. An
attacker could set up their own AP somewhere in the vacinity of your
users using the same ESSID (example_ssid) causing users to associate
with their AP. 802.1x is designed to keep users from further
connecting that network by verifying the authenticity of that
network. If the rogue AP uses a cert from OtherCA with a CN of
802.1x.example.com and both MyRootCA and OtherCA are known roots
already existing in the default Windows cert list, then a user not
checking the cert signer against the trusted signer, all known
signers are trusted meaning that OtherCA is trusted as a signer and
the rogue AP now has your user's connection. In addition, if you're
checking the CA list but not the CN, then the attacker could obtain a
cert from MyRootCA with the CN of 8021x.attacker.com. Since you're
not checking the CN and MyRootCA is the trusted signer, then the cert
is trusted and, again, the attacker has your user's connection.
So, for truly secure mutual authentication, you must specify both the
trusted CA and the CN in the supplicant.
--Mike
On May 24, 2006, at 3:34 PM, King, Michael wrote:
>
>
>> -----Original Message-----
>> From:
>> freeradius-users-bounces+mking=bridgew.edu at lists.freeradius.or
>> g
>> [mailto:freeradius-users-bounces+mking=bridgew.edu at lists.freer
>> adius.org] On Behalf Of simon at 434canada.com
>> Sent: Wednesday, May 24, 2006 3:02 PM
>> To: freeradius-users at lists.freeradius.org
>> Subject: Using PEAP and WinXP
>>
>> Hi,
>>
>> I have a question regarding the setup for the WinXP client
>> when using PEAP. Does one always need to go into the
>> properties for the AP and configure which servers to connect
>> to or which root certification authorities are trusted? What
>> I mean is, whether you produced a server certificate yourself
>> and imported that CA onto the client machine, or whether you
>> had a certificate signed by someone like Verisign, you would
>> need to check the corresponding CA within the list.
>
> It's my understanding that this is to prevent a man in the middle
> attack. Someone could easily setup a rouge AP, with a RADIUS Server.
> Since your requiring the server to identify itself (Via the Cert) you
> could detect this, and prevent it.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6184 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060524/9c5c4a8f/attachment.bin>
More information about the Freeradius-Users
mailing list