wireless PEAP with EAP-MSCHAP v2 authentication - certificate spoof possible?

Discussion in 'Cisco' started by Todd H., Oct 23, 2006.

  1. Todd H.

    Todd H. Guest

    Greetings,

    I have a Cisco/Microsoft Wireless security question that's pretty
    in-depth. I'm hoping there's someone out there who's been down this
    road. Specifically I'm curious how strong this setup is in deflecting
    a targeted evil-twin man-in-the-middle access point attack against our
    employees (i.e. bad guy in airport or starbucks setting up an access
    point trying to get an employee machine to associate to it and get the
    machine to volunteer the active directory username/password).

    Our networking vendor is spec'ing a wireless system for a large
    facility, and intends to use Cisco Aironet infrastructure, and
    leveraging PEAP authentication against our Microsoft Active directory
    suing username/passwords. All our client machines are Windows XP
    systems.

    Their technical guy showed in a demo that Windows would be configured
    for WPA/TKIP using 802.1x authentication using PEAP, and EAP-MSCHAP v2
    as the authentication mechanism which'll go against our active
    directory infrastructure.

    Client systems (for our wireless workstations) will be set up to
    validate the access point's certificate which they intend to use an
    [name of a listed certificate authority] authority certificate for
    this. Perhaps this picture helps, where only one trusted root CA
    would be checked in our configuration:
    http://www.cisco.com/univercd/illus/1/29/103429.gif

    The benefit they say is that we won't have to install any client side
    certificates which will simplify management quite a bit but, here's
    where the big question of security comes...

    In this setup, would it be possible for an attacker to set up
    an evil twin access point if they take the time to purchase
    their own certificate from that same certificate authority?

    My understanding may be flawed, but I don't see that the client checks
    anything except that the access point has a matching BSSID and
    posesses a valid certificate from that certificate authority. I don't
    see where it does any checking to make sure that it's actually our
    company's individual certificate.

    Can anyone confirm or deny?

    I guess I'd hate for someone with a laptop sitting at an airport being
    able to coax one of our employees' machines into joining his network
    automatically if he just knew out BSSID and had a certificate from the
    same CA. It may be an acceptable level of risk to balance out the
    management headache or client side certificates, but I just want to be
    sure we know what the exposure is so we can do a proper risk
    assessment.


    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 23, 2006
    #1
    1. Advertising

  2. Hi Todd,

    When dealing with digital certificates it is all about established
    trust.

    There is a chain linked to all certificates that leads back to the main
    certificate authority.

    If you "trust" that authority as having done their job then you
    assume they have verified the certificate owner because there are
    digital certificate links that lead back to the top authority.

    If you do not trust them then you can get a certificate from another
    authority, perhaps even setup your own root authority that is 802.1x
    compliant.

    Actually, even Microsoft provides this type of solution.

    With 802.1x you cannot only authenticate the access point, but you can
    authenticate the end points and users as well.

    In addition, the 802.1x leads into network access control (NAC)
    solutions and this is the true direction mature organizations should be
    heading.

    Courtesy of CompuCom Systems Network Security Expert, Andrew R. Reese:

    http://www.bradreese.com/andrew-r-reese.htm

    ------------------------------

    Hope this helps.

    Brad Reese
    BradReese.Com - Cisco Repair
    http://www.bradreese.com/cisco-big-iron-repair.htm
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    USA & Canada: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    AIM: R2MGrant
    BradReese.Com - Cisco Power Supply Headquarters
    http://www.bradreese.com/cisco-power-supply-inventory.htm
     
    www.BradReese.Com, Oct 24, 2006
    #2
    1. Advertising

  3. Todd H.

    Todd H. Guest

    "www.BradReese.Com" <> writes:
    > Hi Todd,
    >
    > When dealing with digital certificates it is all about established
    > trust.
    >
    > There is a chain linked to all certificates that leads back to the main
    > certificate authority.
    >
    > If you "trust" that authority as having done their job then you
    > assume they have verified the certificate owner because there are
    > digital certificate links that lead back to the top authority.
    >
    > If you do not trust them then you can get a certificate from another
    > authority, perhaps even setup your own root authority that is 802.1x
    > compliant.
    >
    > Actually, even Microsoft provides this type of solution.
    >
    > With 802.1x you cannot only authenticate the access point, but you can
    > authenticate the end points and users as well.
    >
    > In addition, the 802.1x leads into network access control (NAC)
    > solutions and this is the true direction mature organizations should be
    > heading.


    Hi Brad, thanks for your response. Let's assume we trust the
    certificate authority in question to verify that someone is who they
    say they are.

    I guess my question boils down to this: Does PEAP (using only server
    side certificates) really give a client any assurance that they're
    connecting to their company's access point, or does it only guarantee
    that they're connecting to an access point where the owner has
    purchased a certificate from a given CA?

    As a recap, we're talking about the sitation where the client is
    configured like this, with exactly one of the Microsoft listed Trusted
    Root CA's checked in this dialog box:
    http://www.cisco.com/univercd/illus/1/29/103429.gif

    I'm thinking a bad guy, knowing only what CA a Big Company uses, could
    cheerfully purchase a certificate in his own name or his own company's
    name, the CA would do their job and verify who he is and all, and then
    head down to the airport with his laptop and see what laptops from Big
    Company he could get to autojoin his access point because I suspect
    that this method isn't checking the content of the certificate other
    than for validity and for a trusted CA.

    Or am I all wet?

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 24, 2006
    #3
  4. Todd H.

    Guest

    In article <>, (Todd H.) writes:
    >
    > Greetings,
    >
    > I have a Cisco/Microsoft Wireless security question that's pretty
    > in-depth. I'm hoping there's someone out there who's been down this
    > road. Specifically I'm curious how strong this setup is in deflecting
    > a targeted evil-twin man-in-the-middle access point attack against our
    > employees (i.e. bad guy in airport or starbucks setting up an access
    > point trying to get an employee machine to associate to it and get the
    > machine to volunteer the active directory username/password).
    >
    > Our networking vendor is spec'ing a wireless system for a large
    > facility, and intends to use Cisco Aironet infrastructure, and
    > leveraging PEAP authentication against our Microsoft Active directory
    > suing username/passwords. All our client machines are Windows XP
    > systems.
    >
    > Their technical guy showed in a demo that Windows would be configured
    > for WPA/TKIP using 802.1x authentication using PEAP, and EAP-MSCHAP v2
    > as the authentication mechanism which'll go against our active
    > directory infrastructure.
    >
    > Client systems (for our wireless workstations) will be set up to
    > validate the access point's certificate which they intend to use an
    > [name of a listed certificate authority] authority certificate for
    > this. Perhaps this picture helps, where only one trusted root CA
    > would be checked in our configuration:
    > http://www.cisco.com/univercd/illus/1/29/103429.gif
    >
    > The benefit they say is that we won't have to install any client side
    > certificates which will simplify management quite a bit but, here's
    > where the big question of security comes...
    >
    > In this setup, would it be possible for an attacker to set up
    > an evil twin access point if they take the time to purchase
    > their own certificate from that same certificate authority?
    >
    > My understanding may be flawed, but I don't see that the client checks
    > anything except that the access point has a matching BSSID and
    > posesses a valid certificate from that certificate authority. I don't
    > see where it does any checking to make sure that it's actually our
    > company's individual certificate.
    >
    > Can anyone confirm or deny?


    You need to check the "Connect to these servers" box and specify
    the domain name under which the server certificates were issued.

    Otherwise, as you say, any access point with a valid server certificate
    issued to any name whatsoever would pass the "is the access point who it
    says it is" test.

    You need to know "is the access point who it says it is" along with
    "does it say that it is MYCOMPANYNAME.COM".
     
    , Oct 24, 2006
    #4
  5. Todd H.

    Chad Mahoney Guest

    Re: wireless PEAP with EAP-MSCHAP v2 authentication - certificatespoof possible?

    Todd H. wrote:
    > writes:
    >


    > Gotcha. That's what I suspected--glad to have a confirmation of how
    > this works.
    >
    > Now, given that the company uses different server names depending on
    > location, that might get a little tricky to roll into our big master
    > workstation build.


    I think you can issue the certificates to the workstations via group
    policy. If I understand you scenario properly.
     
    Chad Mahoney, Oct 24, 2006
    #5
  6. Todd H.

    Todd H. Guest

    writes:

    > You need to check the "Connect to these servers" box and specify
    > the domain name under which the server certificates were issued.
    >
    > Otherwise, as you say, any access point with a valid server certificate
    > issued to any name whatsoever would pass the "is the access point who it
    > says it is" test.


    Gotcha. That's what I suspected--glad to have a confirmation of how
    this works.

    Now, given that the company uses different server names depending on
    location, that might get a little tricky to roll into our big master
    workstation build.

    Or does it allow for wildcarding of *.mycompanyname.com?

    > You need to know "is the access point who it says it is" along with
    > "does it say that it is MYCOMPANYNAME.COM".


    Thanks again for the responses.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 24, 2006
    #6
  7. Todd H.

    Todd H. Guest

    Chad Mahoney <> writes:

    > Todd H. wrote:
    > > writes:
    > >

    >
    > > Gotcha. That's what I suspected--glad to have a confirmation of how
    > > this works. Now, given that the company uses different server names
    > > depending on
    > > location, that might get a little tricky to roll into our big master
    > > workstation build.

    >
    > I think you can issue the certificates to the workstations via group
    > policy. If I understand you scenario properly.


    Hi Chad, thanks for the response-- that would definitely simplify the
    certificate distribution issue quite a bit. I'm intrigued.

    In that case, instead of configuring the standard workstation build to
    use PEAP/EAP-MSCHAP v2 with a CA that's already "on the list" if you
    will, are you saying we could use group policy to install our own
    specific mycompany certificate, and then direct the 802.1x
    authentication to only trust that CA here?
    http://www.cisco.com/univercd/illus/1/29/103429.jpg
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21ag/icg03/winapekh.htm#wp1031360


    Or am I getting CA's and certificates confused and this approach would
    move us away from PEAP into EAP-TLS, and specifying certificate this
    way:
    http://www.cisco.com/univercd/illus/1/58/103458.jpg
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21ag/icg03/winapekh.htm#wp1023440


    If what I've read is to believed, EAP-TLS is the most secure way to do
    things, but folks shy away from it because it requires a certificate
    to be put on the client box. Personally, if getting the cert there is
    as simple as pushing it via group policy, and making the first login
    to a domain controller be over a wired connection, that'd be a good
    tradeoff from where I sit.

    Let me know if I'm smelling the stew yer cookin correctly on this.
    :) Thanks for the input!

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 24, 2006
    #7
  8. Hi Todd,

    Recommend that you check out Verisign's FAQ section and review what
    kinds of digital certificates are available for purchase, and then
    review what the requirements are to get these digital certificates
    assigned.

    As stated earlier, it is about trusting the certificate authorities.

    If you do not trust the root authorities to properly check the
    credentials of someone before handing out a digital certificate in some
    companies name, then setup your own root server and architect it from
    there.

    Am sure the root authorities post their policies and procedures for
    ensuring the integrity of their root servers.

    The client has the responsibility for accepting the validity of what
    ever certificates are presented to them, they need to verify the chain
    of trust back to the root server and they need to make sure the digital
    certificate they have for the root server is valid.

    Sincerely,

    Brad Reese
    BradReese.Com - Cisco Network Engineer Directory
    http://www.bradreese.com/network-engineer-directory.htm
     
    www.BradReese.Com, Oct 24, 2006
    #8
  9. Todd H.

    Chad Mahoney Guest

    Re: wireless PEAP with EAP-MSCHAP v2 authentication - certificatespoof possible?

    Todd H. wrote:
    > Chad Mahoney <> writes:
    >
    >> Todd H. wrote:
    >>> writes:


    >
    > Hi Chad, thanks for the response-- that would definitely simplify the
    > certificate distribution issue quite a bit. I'm intrigued.
    >
    > In that case, instead of configuring the standard workstation build to
    > use PEAP/EAP-MSCHAP v2 with a CA that's already "on the list" if you
    > will, are you saying we could use group policy to install our own
    > specific mycompany certificate, and then direct the 802.1x
    > authentication to only trust that CA here?
    > http://www.cisco.com/univercd/illus/1/29/103429.jpg
    > http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21ag/icg03/winapekh.htm#wp1031360
    >


    Check out http://www.unixwiz.net/techtips/deploy-webcert-gp.html

    and this http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm

    I would assume you could create a policy per OU based on location and
    deploy the certs. I have only configured this in a single org. setup and
    the certs were distributed with no problem.

    HTH
     
    Chad Mahoney, Oct 24, 2006
    #9
  10. Todd H.

    Todd H. Guest

    "www.BradReese.Com" <> writes:

    > Hi Todd,
    >
    > Recommend that you check out Verisign's FAQ section and review what
    > kinds of digital certificates are available for purchase, and then
    > review what the requirements are to get these digital certificates
    > assigned.
    >
    > As stated earlier, it is about trusting the certificate authorities.
    >
    > If you do not trust the root authorities to properly check the
    > credentials of someone before handing out a digital certificate in some
    > companies name, then setup your own root server and architect it from
    > there.
    >
    > Am sure the root authorities post their policies and procedures for
    > ensuring the integrity of their root servers.


    That's true, but not applicable to the scenario I'm posing.

    I'm trying to explore suppose a completely legitimate, non-forged
    certificate is purchased in the attacker's name, and is associated the
    the rogue access point. The real and rogue AP's will have different
    certificates, but both certs are from teh same CA. Will PEAP
    EAP/MSCHAP v2 as implemented in Windows XP sp2's built in PEAP
    supplicant ever tell the user about the certitificate or not, or will
    it quietly and happily connect to the rogue access point since it has
    a cert from the trusted CA?

    For the purposes of this, assume the "Connect to these servers" field of
    this dialog is blank, and one CA of the trust list is selected to trust:
    http://www.cisco.com/univercd/illus/1/29/103429.gif


    > The client has the responsibility for accepting the validity of what
    > ever certificates are presented to them, they need to verify the chain
    > of trust back to the root server and they need to make sure the digital
    > certificate they have for the root server is valid.


    Right. I couldn't agree more.

    But, my question is "Will the microsoft PEAP supplicant even ask the
    user to okay the certificate that is presented, or will it quietly
    accept it because it came from the trusted CA?"

    Thanks again for your input!

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 25, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Edward W. Ray

    How to implement PEAP-EAP-TLD authentication?

    Edward W. Ray, May 6, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    3,848
    Jobe Gates
    May 26, 2005
  2. Adam Ryan
    Replies:
    1
    Views:
    668
    UnH0Ly
    Oct 3, 2004
  3. Replies:
    1
    Views:
    2,305
    b1-100
    Aug 27, 2011
  4. frank

    EAP SIM and EAP AKA methods with WZCSVC

    frank, Nov 24, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    728
    frank
    Nov 24, 2006
  5. VENZY

    Missing EAP Type = Protected EAP (PEAP)

    VENZY, Nov 19, 2009, in forum: Wireless Networking
    Replies:
    5
    Views:
    4,832
    Peter Foldes
    Feb 23, 2010
Loading...

Share This Page