Multiple realms and network validation with WPA2 Enterprise

[Alan DeKok]

On Dec 23, 2016, at 7:07 PM, Henti Smith <henti at geekware.co.za> wrote:
> What you are saying of course makes sense, but I'm trying to understand the
> security mechanisms between and client and radius using SSL and how to
> ensure my users user/pass don't get stolen by a rogue AP/SSID impersonating
> ours. How does one ensure that when a user connects to SSID "MyCompany"
> they are actually sending user/pass to "MyCompany" using the correct SSL
> and Server validation ?

  Because the users machine has the SSID configured to use a particular root CA.  See the WiFi / 802.1X configuration for any modern operating system.

  The users machine will trust *any* certificate signed by that root CA.  Which is why everyone recommends using a "self signed" CA for WiFI.  Because then you know that only your RADIUS server has a certificate signed by that CA.

> To put it another way. Users have been taught to look at browsers address
> bar, to ensure they are talking to the correct server and that there is a
> lock next to the https to indicate the SSL cert fo rthat host has been
> validated (admittedly byt a thir party, which you have already pointed out
> has it's own insecurities) I need to show the business the same risk
> management before we can switch to WPA2 Enterprise away from a shared key,
> which again has it's own set of insecurities.

  <sigh>   A shared WiFi key is always less secure than using actual security.

> So in a nutshell, how do I prove that Ivan the Hacker cannot just bring up
> his own AP with the same SSID and steal user credentials to get into our
> network to steal our data.

  The short answer is that the people who designed WiFi security aren't stupid.  If your managers aren't security experts, they should stop playing games with security.  Instead, they should trust the experts.  They should follow the best practices recommended by the experts.

  Alan DeKok.