Wireless Access

I need help to work out what is and what is not supported in the way of non windows clients. I am about to deploy a ssid to allow any device access to internet resources using peap mschapv2. What devices wont work with this auth method?

As they can be non windows devices, i believe that they dont need certs on them in which to auth the server cert so would just be using the ad username/password. Is this secure?

If not secure , can you limit on the nps server so that only devices that support peap mschapv2  in full access?

Thanks! 

Well Mac support it, also Ipads...

Now you need the cert on the server to make it work correctly.  Do you have  a cert authority?

Can you describe the scenario? to see if there is something else we can recommend you?

The idea is that an employee can bring any device from home and use it on our corp wifi for internet access and activesync. As some devices like blackberrys for exampke, you can just check 'disable server authentication', i believe this makes this authentication dangerous. Someone can put fake ap with the same ssid and gather AD usernames and passwords. 

Can you suggest anything here please?  I was under the impression that peap mschapv2 is secure....

Do we have a list of what devices are more secure for this auth method and what versions? Even with certs on server can you still not create a fake AP ?

Please help! 

To add to my post above...

Is peap mschapv2 meant to be used with personal devices using corporate  AD username/password?

If we are talking about any device, where the company doesnt own the device. is this not a good idea?

Thanks, Appreciate the help... 

What you need here is bring your own  device BYOD(Clear pass)

Check out the video

http://www.youtube.com/watch?v=IbzUiGifSpc

If you got budget for it

Look at the video and check what it can do.... it can do more things but it give you an overview

Thanksbut no budget for that.

Are you saying that i cant do what i was suggesting?

You can do EAP PEAP which is with mschap v2

You need to buy a Cert for the NPS to make the EAP PEAP work

I dont have a list of the devices that support EAP PEAP with mschapv2....

You will need to investigate that yourselft, because i dont think the neither the TAC will asnwer you that as is not aruba related.

But as far i know IPADs, macs, blackberry support EAP PEAP(not sure if all models...)

Now asnwering your questions

Yes even with the cert they can create a fake AP and try to steal passwords, if you configure the EAP PEAP client correctly then you make it really hard for the attacker. 

For example when you configure EAP PEAP client on windows there is a field that you put which server if he client is not connecting to that server specifically then he wont send any user or password... Does this field exist on all the devices? well no... you will have to investigate that...

Now the quetion i got for you

Do they already use their own devices from home? to access the email? with active sync? and you just want to add it so when they bring it to the corporate they can access it?

Because really if its that then you can create an SSID  use the firewall policies and put to that SSID an specific role which just got access to the internet with port http, https, and to the server with just port https... and restrict everything else...

do they can steal password when the device is connecting to the exchange? well i dont know... im not a server expert neither a exchange expert to asnwer that.... you will need to ask on microsoft forum how secure is doing this...

Now if you afraid they will connnect to another AP or something you can use WIPS licesse and configure that the clients cannot connect to ther APS that are not from the Aruba APS... it can also detect Fake APS and contain them....(do you have this license?)

Now you can create another SSID(just for this devices) maybe WPA2 PSK(yeah they can crack it with a offline dictionary attack) but if they get in they will have access to internet also to the exchange server but just by port 443(which is the same access they do when you people from out of the company checking email) this is Exchange security and i dont know about that you need to ask on microsoft forum i recommend you technet.   You can add it captive portal authentication but then they can do a fake ap a fake captive portal and get the username a password to get it,, but even if they get in you will have your policy on your aruba firewall set that they just can go to internet and to the exchange server through the port 443.(You need PENF license for this, do you have it?)

Now if you want security for real, because it seems in your company they want security but they dont want to invest... you need BYOD  or EAP TLS And configure it manually, manually putting the cert on each of these devices( do ALL the deivces support EAP TLS i don tknow... you can open a support case and ask int he tac).  or you can just google it.

You can tell the manager that if they want security then, they will need to get BYOD.  Yes you can configure EAP PEAP which i already answered your questions or at least the ones i could up.

What do i recomend? BYOD  all the other things are just work arounds(when we are talking about bringing a non corporate device to the corporate).... like a said EAP PEAP(mschapv2) Can be secure if you got all the fields to configure it correctly.  For example

Let talk about the iphone

The iphone does not have the options to specify the type of authentication  to use, they simply just aren't there. The iphone also doesn't allow for a preconfigured certificates meaning they can't be tied to a legit RADIUS server. This flaw makes them susceptible even in the worst case scenario being certificate validation is enabled tied to a specific radius server.  Now this can happen on other devices... not just with iphones

Anyways i hope i was able to asnwer most of your questions.

Here i also sned you a link of a guide  of how to correctly configure EAP PEAP

https://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398

Firstly, allow me to thank you for your help:)

We currently use two SSID's and I plan to add a third for what i am asking about..

We have 'employee' - using eap tls - this works fine and everyone uses it on their company laptops and this allow access to everything internal and works in bridge mode.

we have 'guest' - this only allows internet access and is captive portal and is tunnelled. 

I plan to rollout a third - this will be for employees to bring their own devices and will only allow http https (including activesync). We also have wpa2 enterprise for this.This will also be in tunnel mode (by the way  the controller is physically connected to corp firewall too - so securing on pef and corp firewall). I plan to use peap mschapv2. I have the config alll in place already and am testing it. We are using a NPS server which does have a cert on.

When i try to connect a ipad/iphone/macbook it all seems to work smooth. you see the advertised ssid , connect to it it asks for username and password then you get a screen asking you to 'accept' a cert. you accept and you are connected.

Other devices like blackberry only seem to work when you have slected to disable server authentication. Also I am having issues with win 7 laptops. Anyway, if you have disabled server auth this just means this is a simple AD password auth and then I am concerned about the fake AP capturing the passwords. I am far less concerned of anyone using this to steal some of our internet bandwidth.

let me also answer why we want this.... Our execs are demanding it and we are not ready to go BYOD yet for one. We want employees to use their personal devices and devices we have bought for them to use our bandwidth instead of their dataplan. We would not allow internal access at this stage. You might say why dont we use guest SSID but captve portal is not seem less and asks you to keep loggin in. Plus it is designed for guests.

So I am confused about this security issue. Even if you have the server auth you are at risk from fake aps correct?

Also, the apple devices just accept the cert but on other devices do you have to actually place a root cert on or does it get this from the nps server like the apples seem to? ( i am not referring to eap tls here by the way).

We do have wip license but I dont think i am using it.... perhaps you can elaborate a little on what you have suggested? How does this work to stop ? How do you configure it?Perhaps this will solve my issue as I mention I am not worried about stolen bandwidth in this scenario but rather someone stealing AD passwords....

Can you help me further NightShade1? I am testing so many devices right now I wish someone could say which devices support and which do not/ along with which code. Do you know which flavours of android work with peap mschapv2?

Thanks again, Lee!

Also to add to my above... I just read your link. This is great but of course we want to use mainly for non windows devices as this is for employees who already have win 7 corp laptops that connect happily with eap tls. This is for them to bring in ipads iphones android, win 7 and win 8 tablets... basically everything else... It is hard to check for every devoce and every code for their functionality. 

Anyway should have include this above but read your link after:)

Try no adding more than 3 SSIDs... more than 3 start impacting the performance... it is a really interesting whitepaper you should give it a reading

http://www.arubanetworks.com/pdf/technology/whitepapers/wp_Virtual-Access-Points.pdf

Now the problem like i said before with the EAP PEAP are the devices that does not let you configure the clietn correctly...in which i gave you an example which is the iphone...

If you disable the server auth then you are letting the hacker a door open so they can retrive the users and passwords, as the client will not check if he is connecting to a valid server... he will just connect to any radius server no matter if its a fake one...

Thats the issue of employing EAP PEAP in this scenario, you have no control for those divices like iphones and the androids you mention that you need to disable the auth server....  Thats why BYOD was created... to resove this kind of issue.

Answering your question, well in some devices like for example an ipad it will ask you if you want to add this trusted root cert... which a normal user can just cick yes... but how does a normal user knows that it is a real server or its a fake one? welll it doesnt know,  you need all the fields like a told you to make it secure.... if not then is not secured....

WIPS can help but remenber its just another layer of security...

If i were you i would talk to the manager that you cannot give them a good security without byod for non enterprise devices, and non devices that does not accept the correct configuration of EAP PEAP like you saw ont he manual, i gave, in which i already told you why with the iphone example why it is insecure, even if you are using EAP PEAP.

IF you want to use EAP PEAP For this i would just let the devices that support the correct configuration of EAP PEAP on them... if not i would not allow it...

If you afraid they can steal AD passwords then dont use EAP PEAP... you can use a simple WPA2 PSK(yeah they can crack it with an offline dictionary attack) but they wont get any user or password from anyone as it does not need to send it for anything(well it does for the Exchange)  but then thats Exchange security that i don know too much... Also on that particular SSID you will have PENF enforcing it telling it on their role that they just can access internet and Exhcange on port 443 whichi s the one usied for active sync as far i know.

Do i recommend the above ? well not really i recommend like i told you BYOD...

I have got clients with these kind of request... but i tell them, if you want it really secure then you cannot do it without the BYOD and i explain them why.  IF you want i can do this, but like i said its not secure, and i tell them the reaasons.   My recommendation to them in this scenario is BYOD and if they don like it well i cannot do anything for him.  I cannot lie to the custumer telling them that it will be really secure...

In fact i just had this happened just ones someone asking me about this and told him what i told you.   He decided not to bring the users equipments to the enterprise as they did not have budget for BYOD.... The other enterprise most are banks and they do not allow this kind of thing... so i got no problem with it, but if you must do it well do it with byod.   IF not then you can go a not soo secure scenario like i told you(and making it clear to the custumer) or just not doing it.  becasue you don thave the budget to get security.

So as far i see you got those options... plus WIP that can help in the security.   Sorry but i canno tell you that will be REALLY secure if thats what you want to hear, becasuse it wont.   

You can also wait for Aruba Gurus in here to answer in this tread to see if they got a better idea.  I dont think you will be able to open a tac ticket for this because then they willl send you with professional services which will cost you money for an advice for this.

Something else

if you gonna deploy WIPS you NEED air monitors otherwise it wont work properly.   IF you dont have APs as Air monitors then you might have to buy more APS for that.

The question is how much security they want? you can explain them what kind of security you can give them, but you never tell them that the system is 100% secure... because that would be a lie... you can tell them you can add more and more layer of security to make it more difficult to the attackers to get in...

For now they hard security layer you could be adding could be the WIPS and also the part of enforcing with the firewall on the Controller... but for authentication... thats the problem here you have got a weak one.(which could be enforced with the BYOD) and well i already mention you the problem you could get with eap peap authentication for those devices.

Cheers

Carlos

Thanks Carlos. 

Surely if I can implement the wips then thiswill allay my fears re stealing passwords with fake AP's? 

It will surely help but remember if you cannot configure the client with the proper options and if they can go over the IDS/IPS somehow, then they will get your passwords and users.... Remenber that i told you that those devices dont support all the options of security to be configured, so that makes EAP PEAP vulnerable to attacks

Remenber also WIPS need APs on  Air monitors mode(those APS will not serve clients)  

Cheers

Carlos

Thanks. 

As you mentioned i wonder if any others have some other suggestions...

At present, if i dont push this out and do nothing a fake AP could still be introduced that prompts for ad credentials so i am not sure if there is much more of a flaw for introducing it?

Carlos,

When you say that we need aps as air monitors for wip are you referrring to both stopping clients from connecting to non aruba ap's AND isolating the fake AP or both?

Also. when you introduce air monitors, does this mean you have to buy them on a one to one basis with ordinary ap's ie buy the same amount as we already have?

Thanks, Lee.

Okay now you should have X ammont of aps, all serving clients

Let say they are all APs 105

the AP 105 can be in 3 modes

AP

Air Monitor

Spectrum Analizer = you need WiP license to make this one work as far i remenber

Now if you dont have any air monitor on your network that means that all are in AP mode

Ap mode got two missions

1-Serving clients= which is the principal one

2-Monitoring other channel = Which is the secundary one, and it does it every amount o f time he goes out of the channel serving to check on another channel and then come back serving client.

IF you just use AP mode it can maybe Detect but now to content thats another history... he cant be serving clients and containing a rogue AP or in this case a fake AP as he would need to be int he same channel, and he cant be all the time so it makes it ineficient!

Now knowing this you see you need air monitors

If you got APS in inventory let say you got APS 105 then you can put them as air monitor...

Dont put Old APS 61 and 65 if all your netowkr is n capable... they cannot do properly somethings as they cannot understand all the n thing...

Does this answer your quetion?