Wireless Access

Hi,

 

Does anybody know how is the credentials for the 802.1x (username and password) saved on the client devices like iphones, android devices,...etc ?

 

 

Thanks

 

Regards,

Islam

In case of Apple devices this information is stored in the user's keychain.

 

That *should* mean it is stored encrypted and it *should not* be extractable.

 

Generally it is a better security practise to use seperate certificates for 802.1X (EAP-TLS) instead of using Active Directory username/password for 802.1X (PEAP EAP-MSCHAPv2 or EAP-TTLS PAP/MSCHAPv2). That way, if the device gets compromised or the NT-Hash gets compromised, the username/password is not leaked.

Hi,

Thanks for the info, TLS is the best I know but it is time consuming to configure that manually unless we use onboarding but for now we need something easy to allow BYOD and also secure, so can the key chain be decrypted ?

Kind Regards
Islam Soliman

Islam Soliman,

 

What are you trying to do?

 

Employee Access to internet without comprimising the AD credentials

Islam Soliman,

 

The only way I would think that it could be compromised is that iPhone users can back up their device and restore them onto another device.  There is no way around that.  Onboarding is the way to avoid that by distributing device-specific credentials.

 

 

Another issue with PEAP or EAP-TTLS is the verification of the server certificate. If the device does not check the server certificate of the RADIUS server the credentials can be compromised when the device connects to a rogue network.

 

For this the attacker should setup a network with the same ESSID and a RADIUS-server which can capture the challenge/reponse (like FreeRADIUS WPE).

 

EAP-TLS does not know this vulnerability.

Thanks a lot for the useful information :)