Security

Reply

Correctly configure EAP PEAP Windows client

Hello everyone i open this topic because i have seen many incorrect configured stations  yeah they work but they are not well configured and they are insecure...


Anyways ill give a sample config of the configuration and why im selecting those options

peapeap1.png

 

1-Here we select EAP PEAP and click on settings.

 

peapeap2.png

Okay here comes the important part

2-We check on the validate server certificate which we all do and windows 7 do it automatically

3-We check and also TYPE the radius server or servers  on connect to these servers.  This is really important because if you dont select a server this is where someone with a man in the middle attack can get someone user and password.

4-You select the root certifcate

5-checkbox Donot prompt user to authorize new servers or trusted root certifcate

6-Make that the user cannot change any of these settings :)

 

Now how they can hack my WPA2? well with misconfigurations...  here is an example of an scenario of what could happen if you do a misconfigured clients on your deployment.

1-They create a fake ap matching the ssid and encryptaon of the network

2-They create their own fake RAidus Server

3-They deathenticate someone and lure him to connect to the fake AP

4- The user will see The dialog box that is presented  Their certificate will verify that the network they are joining is correct and legitimate the normal user will just accept everything as they are clueless 

5-User just send the hacker their user and encypted pass which they can then do a dictionary attack to get the pass..

 

Anyways this is just negligence by people setting up PEAP or not knowing how to set it up.... 

 

I made the article because like i said i have seen many deployment with these common misconfigurations

 

Hope it can help someone and  also any comment or correcting is welcome :)

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Regular Contributor I

Re: Correctly configure EAP PEAP Windows client

in "connect to these servers" instead of dns name of the radius server, can we mention IP-address of the server directly? 

 

how we can mention the servers in the configuration, when there are multiple radius-servers.

 

Regards,

Guru Elite

Re: Correctly configure EAP PEAP Windows client

You should use whatever is in the name of the certificates (usually DNS names). Multiple names can be entered using a semi colon for using a regex

Server1domain.com;server2.domain.com

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Correctly configure EAP PEAP Windows client

Hi cappalli, 

 

Thank you for clarrification, it would be the CN name in the certificate, correct? 

Guru Elite

Re: Correctly configure EAP PEAP Windows client

Yes

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Correctly configure EAP PEAP Windows client

 

 + enable identity privacy when you are using NAI style usernames, as long as your AAA backend knows how to send your NAS the inner username.

 

Guru Elite

Re: Correctly configure EAP PEAP Windows client

yogenpartha - Identity privacy is an optional feature that 99% of deployments do not use due to troubleshooting complexity. I would not recommend using it.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Correctly configure EAP PEAP Windows client

 

Thus the caveats.  But what troubleshooting complexity?  We've had none and I have plenty of anonymous outer IDs.

 

 

Guru Elite

Re: Correctly configure EAP PEAP Windows client

Bjulin,

Not sure about troubleshooting but most modern radius servers have a way of returning the inner-id to the nas device, so it might be a false sense of security.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Correctly configure EAP PEAP Windows client

My point was, if you don’t return the inner-identity, there are more troubleshooting steps when a problem arise. You can’t simply do a “show user-table | include username” to try and track down a device if you don’t have the MAC.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: