Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at geekware.co.za
Tue Dec 27 09:48:53 CET 2016


Thank you all for the information.

H

On 27 December 2016 at 00:41, Arran Cudbard-Bell <a.cudbardb at freeradius.org>
wrote:

>
>
> >> So in a nutshell, how do I prove that Ivan the Hacker cannot just bring
> up
> >> his own AP with the same SSID and steal user credentials to get into our
> >> network to steal our data.
>
> Short answer, in a BYOD environment, where the devices aren't
> pre-configured with wireless profiles - you can't.  Supplicant security
> negotiation is horrifically bad.  Using PSKs doesn't make it any better as
> the attacker can configure a WPA2-Enterprise secured version of the SSID.
>
> Where you pre-deploy profiles, the user should not be involved in any
> security decisions.  The supplicant will not send credentials if it cannot
> validate the server certificate.  Ideally if you control the device, the
> user should be prevented from modifying the 802.1X configuration at all,
> and unrecognised 802.1X authenticated networks should be blocked.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>



-- 
--


More information about the Freeradius-Users mailing list