Wireless Access

Reply
L36
Occasional Contributor II

Security ssid check

Just want some thoughts on the security pros an cons of the below setup

 

Ssid = WPA2-aes

802.1x authentication

Termination EAP-Type = wap-peap

Termination Inner Eap-Type = eap-mschapv2

 

User logs in with AD creds against a radius server.

 

Just trying to see where the above setup sits on the security scale.  

 

Thoughts?

 

 

Guru Elite

Re: Security ssid check

What specific parameter are you concerned about?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

L36
Occasional Contributor II

Re: Security ssid check

Not concerned about anything in particular, just trying to get thoughts on how secure (or not) the setup is considered to be.  

 

It is an ssid which the user auths with just their AD user details.

Guru Elite

Re: Security ssid check

The biggest detail here is actually the client configuration. You'll want to make sure the devices are validating the server's identity.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Security ssid check

That is one part of the security picture. You need to have only the server certificate on the client side trusted to make it truly secure.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

L36
Occasional Contributor II

Re: Security ssid check

 A user can connect to the network from any device providing they have a valid AD account.  When the user connects they are prompted to accept the radius server cert.  Once accepted they are connected to the network.

 

The question was asked about how secure this is to attacks.  How likely is it that a a users details could be discovered (by a man in the middle or another each attack)

Guru Elite

Re: Security ssid check

You probably want to use something more secure like EAP-TLS which is a certificate you issue to users, instead of PEAP, which is username and password.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: Security ssid check

 

This is a fairly secure setup in use in a lot of places.  It's a server-sided certificate setup so it is very popular.  It offers gradual security: mostly secure, but the users can make it more secure in some cases by making some configuration changes (and for certain types of devices you can roll those changes out automatically.)  It is also nicer than TLS when it comes to password expiry and such, since you do not have to change client certs to change "passwords".

 

PEAP + MSCHAPv2 will be in use for the forseeable future due to Microsoft NAP (a.k.a. SOH, statement of health) not working over TTLS, IIRC.

 

The biggest current security worry in this setup is that it is hard, and in a few cases, impossible, to get the clients configured to validate the owner-id of the server certificate.  It is easy enough on windows and Linux as they both allow the user to configure the necessary options. It is less a concern on iOS/OSX, which will lock in the certificate after the first join to the network so the opprotunity for AAA MITM is slim.   It is a bigger concern on Android where Google has sat around with it's thumb stuck someplace impolite for nearly a decade rather than implement a simple GUI element on the WiFi config screen, meanwhile allowing the machine to pay no attention whatsoever to whether the certificate changes.

 

Another minor security concern is that clients do not tend to properly use an anonymized outer ID so their usernames tend to be visible in the clear.  Configuring this is more widely supported than configuring validation; just about every client will let you do it, though on Apple products you have to build a mobileconfig because they didn't want to confuse their fashion-addled user base with too many options so they took that one out.

 

Guru Elite

Re: Security ssid check

Do you have regulatory requirements or are you just looking for best practice advice?

 

If just looking for best practice, the gold standard is EAP-TLS with device certs.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
L36
Occasional Contributor II

Re: Security ssid check

Thanks for the feedback

 

The current setup is for ease of use.  A domain user can connect to the wifi network with any device.  They just select the ssid, enter their AD username and pw, accept the cert and all done.

 

Well it is not the Gold Standard of security it does give the best user experience within the environment.

 

Just trying to access the possible security risks so that we can put steps in place if needed.  

 

Question with this setup was does the industry and wireless community consider it to be a reasonably secure and varible setup.  Or is it considered a do not use.  How big is the risk that a person's user details could hacked over the wifi?  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: