Wireless Access

Hey All,

 

Just general question. Testing some stuff around RADIUS. Using EAP-PEAP flavour, as the first step when you connect to the SSID, you get prompt to enter username/password:

 

 

In monitor mode PCAP l see frames as EAP-Request/Response-Identity, but l cannot figure out how the password is delivered to the AP (l do not even see any hash or anything encrypted) and l can only see username:

Thanks,

Myky

At the point of receiving the credential prompt, no credentials have been sent.

@cappalli that is totally true. Monitor mode PCAP was taken while l was entering the credentials and when the authentication failed. I do see my username was sent (smuser1) but there was no password in PCAP. That also makes sense because that is the job of NAS to deliver credentials via RADIUS protocol and encrypt the username password as we still can see username in the RADIUS Access-Request packet. 

But it must be somehow delivered to the AP via air.

That is the outer username. The inner username and credential are encapsulated and encrypted into an EAP exchange.

Found this:

https://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/A%20802.1X%20EAP-PEAP%20Reference/EAP_PEAP_handshake.htm

It looks like even client is prompt to enter username and password, only username is sent over the air. Then full EAP-PEAP process kicks in where the client sends its identity that includes a password. 

 

Thanks,

Myky

The outer username and the inner username are not always the same. The outer username should be anonymized.

Thanks Tim. Do you have any good KB that explains this? 

None of this is Aruba-specific. It’s all standards.