Wireless Access

Reply
Frequent Contributor I
Posts: 77
Registered: ‎03-24-2013

802.1x credentials saved on client machine

Hi,

 

Does anybody know how is the credentials for the 802.1x (username and password) saved on the client devices like iphones, android devices,...etc ?

 

 

Thanks

 

Regards,

Islam

MVP
Posts: 130
Registered: ‎06-11-2013

Re: 802.1x credentials saved on client machine

In case of Apple devices this information is stored in the user's keychain.

 

That *should* mean it is stored encrypted and it *should not* be extractable.

 

Generally it is a better security practise to use seperate certificates for 802.1X (EAP-TLS) instead of using Active Directory username/password for 802.1X (PEAP EAP-MSCHAPv2 or EAP-TTLS PAP/MSCHAPv2). That way, if the device gets compromised or the NT-Hash gets compromised, the username/password is not leaked.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Frequent Contributor I
Posts: 77
Registered: ‎03-24-2013

Re: 802.1x credentials saved on client machine

Hi,

Thanks for the info, TLS is the best I know but it is time consuming to configure that manually unless we use onboarding but for now we need something easy to allow BYOD and also secure, so can the key chain be decrypted ?

Kind Regards
Islam Soliman
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 802.1x credentials saved on client machine

Islam Soliman,

 

What are you trying to do?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 77
Registered: ‎03-24-2013

Re: 802.1x credentials saved on client machine

Employee Access to internet without comprimising the AD credentials

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 802.1x credentials saved on client machine

Islam Soliman,

 

The only way I would think that it could be compromised is that iPhone users can back up their device and restore them onto another device.  There is no way around that.  Onboarding is the way to avoid that by distributing device-specific credentials.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 130
Registered: ‎06-11-2013

Re: 802.1x credentials saved on client machine

Another issue with PEAP or EAP-TTLS is the verification of the server certificate. If the device does not check the server certificate of the RADIUS server the credentials can be compromised when the device connects to a rogue network.

 

For this the attacker should setup a network with the same ESSID and a RADIUS-server which can capture the challenge/reponse (like FreeRADIUS WPE).

 

EAP-TLS does not know this vulnerability.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Frequent Contributor I
Posts: 77
Registered: ‎03-24-2013

Re: 802.1x credentials saved on client machine

Thanks a lot for the useful information :)

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: