Wireless Access

Hi,

Is there a way I can decrypt captures taken from a SSID that's using eap-tls authentication?

I got the RAP streaming data capture to my pc running wireshark w/ ERM support. I do get the packets but they are encrypted. (see attachment)

My goal is to determine what exactly my client (iPad) is talking to over the internet.

Thanks,

ckc

The capture you have attached does not show any user traffic, encrypted or not... it's all management frames (at least when I view it on my tablet here).

When i have encrypted networks the easiest way I typically use is to port span/mirror after the traffic leaves the controller .   e.g. at the egress interface/trunk.   There are other ways, but this works all the time.

JF

BTW, a quick way to understand where the iPAD (or any client) is communicating would be to issue a  ' show datapath session table | include x.x.x.x '

If the client is 'tunneled' to the controller this command will show you all the traffic as it arrives/departs from the controller from the client at ip address x.x.x.x.

Handy, if all you want to do is understand what destinations that iPAD is going to for a first cut.

You will notice all Apple devices communicate to 17.x.x.x   (The Apple mother ship) on a routine basis.  That is usually an eye opener for many that didn't know that natively happens. ;)

JF

Thanks for the tips JF.

ckc