03-09-2014 01:34 AM
Requirements are to use AD and Guest user databases for authentication with MAC caching, for guest access (so employees get hassle free wifi). Got that working great!
Security, after making more U turns than it takes to make my head spin have now insisted on the mac caching timeout being synchronised with the password rotation interval in AD - which is 30 days.
In AD there is an field that represents "last time password changed".
- If authenticated with AD:
(current date and time) - (last time password changed) = adMacExpiryTime
- Use enforcement profle to apply this adMacExpiryTime to the relevant account?
Yes, elements of over engineering here I admit - anyone done this or know of a better way?
Heaven knows what my next requirement will me (please dont say "just use PEAP", which would be far too sensible, and has been ruled out owing to "security issues" which I thought were mitigated by manually defined radius server and correct certificate but there you go)
Looking forward to hearig your opinions!
03-09-2014 07:40 AM
can't help you with the last password change solution, so far from what i have seen doing calculations with date / times seem pretty tricky.
but i would like to give some attention on the security part. so to get it straight EAP is out of the questions but just providing your AD credentials on a webpage (at least HTTPS from a public or internal CA i hope?) and then allowing access for upto 30 days based on a MAC address is ok?
as you mention there is nothing wrong with WPA enterprise if you implement it correctly. with PEAP / MS-CHAPv2 certainly make your you only accept a connection from the known radius server. if that doesnt feel save enough head for EAP-TLS, if required (and if you mainly use Windows) you could even wrap it in PEAP. btw even with EAP-TLS configure your trusted radius server.
03-09-2014 01:17 PM
Yep, irony is this is for guest access only, and the AD part is so that employess dont need an account created.
we originally deployed peap for corporate access except one day the security guy ran into the office litterally out of breath telling me to withdraw the production ssid because of the hack. a cyncial person might think he just wanted eap-tls in - I have no problem with that myself, certs are better we all know that. so we binned the peap and got a decent pki installed and now we use eap-tls, but for internal.
I then thought - in balance - why not use PEAP with byod accounts (no AD reference) for internet access only to avoid captive portals which always cause users no end of pain, and then that was rejected owing to the security risk of - ultimately someone being able to crack the wifi and get..... free internet - providing they were within a coverage area of course.
I got the slick guest self registration working (really like that), which of course could only be approved by email from an internal user (really liked that) - but then they said this was too open and anyone could set up an account.
We have deployed a pretty good exp-tls solution with ocsp, for corporate access, but the irony is no one really uses it. They just want to have free wifi on their iphones when they are at work - you know: the practical reality I am learning about employee working habits. Let them use their own platforms and OS, then install your corporate Apps on them for longer term byod, which seems to be the way to go (i.e. workspace). No big deal - they're the customers IMHO.
and yep - my captive portal uses a cert signed by verisign. The ssid also uses 3 auth failures to trigger a blacklist. I also have rfprotect on the case. What else can I do? Use patch antennas on the outer perimiter pointing inwards to limit the rf leakage and get windows sealed up with transparent film to attenuate?
I guess that just leaves onboarding, but $20 a head? understandably, my project manager is going nuts and I am trying to work out a compromise between getting this done.
Every suggestion I make I get another security requirement blocking it. In some respects I am getting grim satisfaction repeatedly saying "ok - that issues closed off: what's next" but it is taking time, and having a deteremental affect on my sanity!
Excuse the desperate post. Someone elsewhere must have come across the same kind of thing? I am ending up having to effectively install more sopisticated security system to protect the internet than the internal network!!
03-09-2014 01:38 PM
That article is from 2012.
"As for the possibility of using this attack to crack WPA/WPA2 Enterprise traffic, that seems unlikely to happen on any sort of meaningful scale given how rare it is to find WPA/WPA2-EAP (extensible authentication protocol) using MS-CHAPv2, without TLS, in the real world. By far the most common form using MS-CHAPv2 is WPA/WPA2-PEAP, which uses TLS to protect the MS-CHAPv2 exchange. Only if the attacker manages to gain access to the TLS private-key for decryption of the outer layer (which is a far greater problem) could the inner layer be attacked with ChapCrack. - See more at: http://www.soleranetworks.com/blogs/chapcracks-les
Please have your security guy double-check.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base