Security

Hello everyone i open this topic because i have seen many incorrect configured stations  yeah they work but they are not well configured and they are insecure...

Anyways ill give a sample config of the configuration and why im selecting those options

 

1-Here we select EAP PEAP and click on settings.

 

Okay here comes the important part

2-We check on the validate server certificate which we all do and windows 7 do it automatically

3-We check and also TYPE the radius server or servers  on connect to these servers.  This is really important because if you dont select a server this is where someone with a man in the middle attack can get someone user and password.

4-You select the root certifcate

5-checkbox Donot prompt user to authorize new servers or trusted root certifcate

6-Make that the user cannot change any of these settings :)

 

Now how they can hack my WPA2? well with misconfigurations...  here is an example of an scenario of what could happen if you do a misconfigured clients on your deployment.

1-They create a fake ap matching the ssid and encryptaon of the network

2-They create their own fake RAidus Server

3-They deathenticate someone and lure him to connect to the fake AP

4- The user will see The dialog box that is presented  Their certificate will verify that the network they are joining is correct and legitimate the normal user will just accept everything as they are clueless 

5-User just send the hacker their user and encypted pass which they can then do a dictionary attack to get the pass..

 

Anyways this is just negligence by people setting up PEAP or not knowing how to set it up.... 

 

I made the article because like i said i have seen many deployment with these common misconfigurations

 

Hope it can help someone and  also any comment or correcting is welcome :)

 

 

in "connect to these servers" instead of dns name of the radius server, can we mention IP-address of the server directly? 

 

how we can mention the servers in the configuration, when there are multiple radius-servers.

 

Regards,

You should use whatever is in the name of the certificates (usually DNS names). Multiple names can be entered using a semi colon for using a regex

Server1domain.com;server2.domain.com

Hi cappalli, 

 

Thank you for clarrification, it would be the CN name in the certificate, correct? 

Yes

 

 + enable identity privacy when you are using NAI style usernames, as long as your AAA backend knows how to send your NAS the inner username.

 

yogenpartha - Identity privacy is an optional feature that 99% of deployments do not use due to troubleshooting complexity. I would not recommend using it.

 

Thus the caveats.  But what troubleshooting complexity?  We've had none and I have plenty of anonymous outer IDs.

 

 

Bjulin,

Not sure about troubleshooting but most modern radius servers have a way of returning the inner-id to the nas device, so it might be a false sense of security.

My point was, if you don’t return the inner-identity, there are more troubleshooting steps when a problem arise. You can’t simply do a “show user-table | include username” to try and track down a device if you don’t have the MAC.

 

The RADIUS server returning the inner identity (with PEAP at least, in the last packet after EAPOL is over) is not an issue.  It never gets past the NAS so it never appears anywhere but in admin interfaces, so there is no false sense of securty.  I wouldn't advise using identity protection if your RADIUS server could NOT do so, as tcapalli notes, but really the outer identity should never be trusted and should be treated as trash data you never look at, except when you are doing federated realm auths.

 

 

bjulin,

 

So just to spell it out for the end user or administrator of these supplicants, when should identity privacy be used and why?

 

Well first let's say exactly what it does.

 

When you check this box, you can type in a username, which is a junk username, so let's say we entered "anon".

Then, it takes the value of the username you enter when you log in (or have saved in the profile) and chops off everything before the

'@' in that username, and puts the contents of the textbox there instead.  So if you log in as me@realm.com, it will replace

that with anon@realm.com.

 

So first rule: ONLY use this when your username is of the form username@realm.domain.  (On other operating systems, where

this is usually called the "anonymous identity" this restriction does not apply and you can set the entire value of the anonymous

identity independently from the username.  The above behavior is a microsoft-only constraint.)

 

So at this point anon@realm.com is used as the username in the EAPOL conversation across the open-system WiFi layer.

If someone is sniffing packets, either on wireless or sniffing RADIUS packets on the other side of the NAS, this is what they will

see.  Your actual username (me@realm.com) is only used inside encrypted tunnels.

 

So second rule: If you do not care that any random individual can collect a list of your usernames and their MAC addresses, don't

bother with this option.  If you do care, or are sending naked RADIUS across the Internet without RADSEC, you may want to consider using it.

 

Now, whether or not you use this option you should NEVER use the anonymous identity for any sort of identification, policy decision,

or purpose with one exception: you can use the part after the '@' sign it to route a non-home realm user in a federation like eduroam to

his home AAA server so that you can ask that AAA server if his username and password is valid and if he should be allowed access

to your network based on an agreement between you and that other organzation.

 

Say for example, you had a rule saying any user named "bob" was allowed to log into a server.  Anyone can put "bob" in the

anonymous identity instead of "anon."  So never listen to what is in the anonymous identity.  Make all your user-based policy decisions using only usernames from inside the encrypted tunnel.  Likewise, if you controllers use the anonymous identity to display users in

the UI, this person will show up when you search for bob, even if their real username is nancy.

 

For this reason a lot of RADIUS servers will take the username from inside  the encrypted tunnel and send it back to the controllers in the last RADIUS packet.  When using PEAP, the last RADIUS packet is simply eaten by the NAS, so this is safe to do if your RADIUS

communications are secure -- it is never copied over into an EAPOL frame and sent over the air.

 

Rule #3: if you do not send inner identities back to your NAS, you probably do not want to use this option, because all your users in the contoller UI would be named "anon@realm.com"  However, you should be aware that anyone that can perform a dot1x auth can fool your NAS into displaying whatever they want as their username.  You probably do not want that to happen and might want to rethink your design.

 

Now just as a side-note, let's look back at the federated authentication (where you route to another organization's AAA server).  If you do this, you have to rely on that AAA server to give you some sort of meaningful identifier for the user (preferred way is called a CUI, chargeable user identity) and this will be returned in at least the last RADIUS packet, if that insitution has set things up correctly.  Since the client talks encrypted with their home server, you have no idea what their username is.  Some home servers may send you back a meaningful outer username but you cannot rely on that either.  You have to take the parts you have (CUI, the original realm you routed to, the MAC address, and home server's operator name from the home server's last packet) and do the best you can to display something useful in the NAS.  You don't always have it, but prefrably you would want some digits of the CUID and the home realm to appear in your NAS, so you could file a complaint about misbehavior with the owner of the home server and they would know who's behavior you are complaining about, because they kept track of what CUIs they sent you for who.

 

 

We have an issue with the 'connect to these servers' option as we run eduroam which is a federated system. Adding our homesite radius servers in here would mean the user would not be able to authenticate at other institutions running eduroam.

 

Yes,It is a windows feature which allow user to connect only to trusted  authentication servers which are added in 'connect to these servers' option, we can add mulitple authentication servers details, enter the domain(s) separating each server name with a semicolon. For example, server.domain1.com; server.domain2.com.

 

 

 

 

Yes

 

No, that’s not how it works. You only need to trust your home EAP server.

ah, thats good to know. A misunderstanding on my part.

 

So if i'm at my homesite and it uses  myradiusserver.auth.com which is in my WLAN profile and i travel to another site which sends my request to foreignradius.othersite.com which then sends to the orps and back to my homesite radius the client will see it as my homesite radius?

The request is proxied to your home university where EAP termination occurs. The certificate is from the terminating EAP server.

Thanks. Thats very helpful.