WPA-Enterprise + PEAP + CHAPv2 vulnerable?

http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html?source=NWWNLE_nlt_security_2012-07-30
Can anyone from Cisco comment on this?

Hi Roman,
The article does not talk about PEAP-MSCHAPv2. It talks about MS-CHAPv2 only.
With PEAP-MSCHAPv2 the MSCHAPv2 authentication is done inside a TLS tunnel that is encrypted. The article talks about EAP-MSCHAPv2 that does not use a TLS tunnel to encrypt the authenticatoin process. So PEAP-MSCHAPv2 is still running OK and thanks to the TLS tunnel that prevents the attackers from seeing the MSCHAPv2 messages that being exchanged. This is why a certificate is being used on the AAA server when you use PEAP-MSCHAPv2. But if you use EAP-MSCHAPv2 then the certificate is not needed on the server and the vulnerability in the article is applied.
HTH
Amjad

Similar Messages

  • Wpa enterprise help

    I have a MacBook, that is running leopard. I am having trouble connecting to my schools wpa enterprise wireless. I am regestered to access the wireless, but am having trouble connecting. I think my problem is that i dont know how to tell the computer which domain on the wireless network. The connection i am trying to get has many domains.

    Ok, sorry for the super delayed response but I didn't have access to my laptop, then I was busy with midterms. I successfully connected manually with wpa_supplicant with this config file:
    [phil@pwned network.d]$ cat /etc/wpa_supplicant.conf
    ctrl_interface=/var/run/wpa_supplicant
    eapol_version=1
    ap_scan=1
    fast_reauth=1
    network={
    ssid="uw-secure"
    scan_ssid=1
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="rofl"
    password="lolol"
    phase1="peaplabel=0"
    I then updated my uw-secure file so that it referenced the new wpa config file:
    [phil@pwned network.d]$ cat uw-secure
    CONNECTION="wireless"
    DESCRIPTION="secure uw"
    INTERFACE="wlan0"
    IP="dhcp"
    SECURITY="wpa-config"
    SCAN="YES"
    WPA_CONF="/etc/wpa_supplicant.conf"
    I then tried to connect with netcfg, and I got this:
    [phil@pwned network.d]$ sudo netcfg uw-secure
    :: uw-secure up
    wlan0 Interface doesn't support scanning : Device or resource busy
    wlan0 Interface doesn't support scanning : Network is down
    wlan0 Interface doesn't support scanning : Network is down
    wlan0 Interface doesn't support scanning : Network is down
    wlan0 Interface doesn't support scanning : Network is down
    - Network not present.
    any help would be appreciated.

  • WPA - Enterprise oddities, any suggestions?

    We have a WPA/WPA2 Enterprise (PEAP) network and are having trouble with our users iPhones. (They work fine on the open network SSID, but would like to migrate to the somewhat more secure WPA or WPA2 model.)
    Apple iPhones 2.2.1 [5H111]
    Apple iPods 2.2.1 [5H11a]
    Cisco APs 12.3(8)JA2 or 12.3(3)JEC2 (same results) (WPA TKIP and AES support enabled)
    OUR STANDARD AP CONFIG: and our results
    OPEN SSID (hidden) = iPhones works fine
    WPA2 SSID (broadcast) = iPhones fail to connect (occasionally after certificate)
    (BUT iPods work just fine!, as does Ubuntu, XP, etc.)
    TESTED config 1: (but this setup is incompatible with our network design)
    OPEN SSID (broadcast) = iPhone works
    WPA2 SSID (broadcast) = iPhone works
    TESTED config2: (not desired configuration)
    OPEN SSID (broadcast) = iPhone Works
    WPA2 SSID (hidden) = iPhone Works
    The Standard config needs to be implemented and supported for a variety of reasons. (We use .1X to move clients to various VLANs behind that SSID so can't enable multi-broadcast on our equipment.) We need to broadcast our WPA network SSID instead of the OPEN SSID, but are having issues.
    As this problem ONLY seems to impact our iPhone users, and not iPods, (with the same version of software) suspect there may be a simple setting on the phones or APs that we are missing. Anyone else ran into this and have any pointers?

    We have also noted the very same problem with 1G iPod Touch. (Several users pointed this out after deployment.)
    We have implemented a work-around by having a WPA2#2 SSID as a hidden so these iPhones and iPods can attach to the network. This now allows them to associate without a problem.
    However on the hidden ID they seem to connect/disconnect from the network, and may require a user to go to the networks area to get connected after the device is left alone for some time.

  • WPA enterprise on N9

    Hello,
    when I try to connect to my university network (WPA enterprise) with my N9, it asks me for a password for their certificate.
    It uses WPA2, TTLS PAP and a certificate. I installed the certificate chain and can view them in Settings -> Security -> Certificates.
    Do you have any idea what the password for the certificate is? My university says that there should not be any.
    I tried to select the certificate in Settings -> Security -> Certificates and to click on the bottom right button and then "Change password" but it just gives me "Keine" (none) in a small box at the top.
    Thanks in advance
    Ole
    PS: I just saw there is a Meego section, too, sorry.

    juhanima wrote:
    If the WiFi setup doesn't require a user certificate, you should select "None" for a certificate when defining the connection. The CA certificate(s) you installed earlier are used automatically as long as they are enabled for WiFi usage.
    Here are the settings for the network for a Nokia N82. Maybe, this will help shed some light on the issue. FYI - I could not make these settings work for my Nokia N8 as well. The IT help desk says they are unable to solve the issue.
    juhanima wrote:
    The connection dialog is supposed to show only actual user certificates to choose from, but it is a known bug in the current N9 FW that if you install something that is not a CA certificate it is taken for a user certificate by default and shown as an option in the connection dialog. The bug will be fixed in the next FW update I believe.
    I have only installed one CA certificate (the one which can be found at the link I provided above). It does not ask for any password when I install it.  When I go to Certificate Manager and try to change the password it informs that there is no password for the certificate. 
    juhanima wrote:
    On the other hand, if the connection does require a user certificate you should have received one from the network's administrator in a PKCS#12 package with a password. You need the password when installing the package and later when using the private key related to the user certificate. But it sounds like this is not the case, so just select "None".
    Hope this helps.
    Juhani Mäkelä
    Harmattan certificate manager maintainer
    So I did choose "None" as certificate. EAP Type - PEAP and EAP MSCHAPv2 as the EAP method. I could not connect to the network using these settings.  The certificate was installed at this point. If I try connecting using the certifcate it asks me for the password. So, right now, it is a problem connecting to the network. Would appreciate any help in this regard.
    Cheers
    Rahul

  • WPA Enterprise on Palm Pre

    We have found that the Palm Pre will not connect to our WPA Enterprise wireless system, because our network needs clients to eliminate the "validate server certificate" process.  For example, our standard laptops use the SecureW2 client and the "validate server certificate" needs to be disabled in the client software.  If this option is enabled, the SecureW2 client won't connect either (just like the Palm Pre won't).
    How can this be done on a Palm Pre?
    Thanks.
    PS-- the Palm Pre connects perfectly to WPA personal networks
    Post relates to: Pre p100eww (Sprint)

    juhanima wrote:
    If the WiFi setup doesn't require a user certificate, you should select "None" for a certificate when defining the connection. The CA certificate(s) you installed earlier are used automatically as long as they are enabled for WiFi usage.
    Here are the settings for the network for a Nokia N82. Maybe, this will help shed some light on the issue. FYI - I could not make these settings work for my Nokia N8 as well. The IT help desk says they are unable to solve the issue.
    juhanima wrote:
    The connection dialog is supposed to show only actual user certificates to choose from, but it is a known bug in the current N9 FW that if you install something that is not a CA certificate it is taken for a user certificate by default and shown as an option in the connection dialog. The bug will be fixed in the next FW update I believe.
    I have only installed one CA certificate (the one which can be found at the link I provided above). It does not ask for any password when I install it.  When I go to Certificate Manager and try to change the password it informs that there is no password for the certificate. 
    juhanima wrote:
    On the other hand, if the connection does require a user certificate you should have received one from the network's administrator in a PKCS#12 package with a password. You need the password when installing the package and later when using the private key related to the user certificate. But it sounds like this is not the case, so just select "None".
    Hope this helps.
    Juhani Mäkelä
    Harmattan certificate manager maintainer
    So I did choose "None" as certificate. EAP Type - PEAP and EAP MSCHAPv2 as the EAP method. I could not connect to the network using these settings.  The certificate was installed at this point. If I try connecting using the certifcate it asks me for the password. So, right now, it is a problem connecting to the network. Would appreciate any help in this regard.
    Cheers
    Rahul

  • WPA Enterprise for E63

    Hi,
    I just bought an E63 just to realize that I cannot use it with my work WiFi. My workplace WiFi is WPA Enterprise. Is there an upgrade to the software to support WPA Enterprise
    Solved!
    Go to Solution.

    I suggest you contact your IT department on this matter. Setting up EAP-PEAP is not an easy thing to do. The link is an example of how it can be done.
    /discussions/board/message?board.id=connectivity&message.id=25714#M25714
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • WPA-Enterprise WIFI dropping after IOS 6 Upgrade

    We use WPA-Enterprise authentication for our WIFI and since upgrading to IOS 6 the connection needs to be reautenticated everytime the iPad is unlocked.  This is a major inconveience.  With IOS 5 you only autenticated one time and whenever you unlocked your iPad you were already connected.
    These are the required settings which IOS 6 still automatically navigates, but it doesn't maintain the login name and password (which autheticates to a RADIUS server):
    Network Authentication: WPA-Enterprise
    Data Encryption: AES or TKIP
    EAP method: PEAP
    Inner EAP method: MS-CHAP v2
    Check Use Windows user name and password
    Uncheck Validate Server certificate

    It is forgetting the network everytime the iPad sleeps - even when it doesn't require an unlock passwod.

  • WPA enterprise (need to not validate Certificate)

    We currently use WPA Enterprise and we require the network to be configed manually to get it to work on a windows 7 pc.
    We have to create the Wireless as so:
    Network name: XYZ
    Security: WPA-Enterprise
    Encrypton type: TKIP
    Under Properties for network... we need to change PEAP and uncheck Validate server certificate
    Either we enable single signon if it's a domain joined PC and tell it to send user info from logged in user...
    Or we store user info for non domain joined PC's.
    Ok so that's how we get a PC running windows 7 to join the network...
    I can't get an Iphone running 3.1.3 or an Ipad wifi model to connect.
    Note: the iphone used to work on our network (nothing changed in 1 year)
    WE use Cisco Wireless LAN controllers 4400 series and ABG light weight Access points.
    How can I manually configure the wifi on an apple product? iphone/ipad

    Try using the iPhone Configuration Utility.
    http://support.apple.com/kb/DL851 - (for Mac)
    http://support.apple.com/kb/DL926 - (for Windows)
    It will let you manually select the security type and protocol. It also lets you install certificates and set trust exceptions on the devices.
    You can find detailed information about the iPhone Configuration Utility in the Enterprise Deployment Guide, which is available here: http://manuals.info.apple.com/enUS/Enterprise_DeploymentGuide.pdf

  • 802.1X Authentication fails when connecting to WPA Enterprise using Leopard

    I'm trying to connect to an office WiFi network with my MacBook Pro which has 10.5.1 installed.
    There are instructions on how to connect using Tiger which are very simple:
    1. Enter network name
    2. Wireless Security: WPA Enterprise
    3. Enter domain credentials for username and password fields
    4. 802.1X Configuration: Automatic
    There are at least two people here using Tiger that can connect using these instructions.
    I've tried the same thing with Leopard and keep getting an error dialog stating "802.1X Authentication has failed."
    I've also tried fiddling with the 802.1X tab under "Advanced" (I know the protocol is PEAP), but no matter what I get the same error.

    Turns out I was not authorized to use the WiFi. IT got me setup and everything works now.

  • WPA Enterprise Not working in MAC

    I have install the Cisco 1131 ap with acs 5.0
    I have configured AP with WPA with Radius Authenticationable
    All Windows 7 & XP user connected
    MAC user is not connected
    there are two option wpa enterprise & wpa2 enterprise

    hello
    on your ACS 5 access policy for wireless, check that EAP-GTC is allowed under "allow PEAP" in the "allowed protocols" section.
    hth
    andy

  • Connecting n96 to WPA Enterprise

    Has anyone been able to connect a n96 to WPA Enterprise (TKIP Encryption; PEAP; EAP-MSCHAP v2) WLAN?
    thanks.

    Not sure what u mean by Enterprise but here is what I got my wireless router set with:
    Authentication: WPA-PSK and WPA2-PSK
    Encryption: TKIP
    Wireless Mode: 802.11b/g
    DTIM Period: 3
    Maximum Connection Rate: 53 Mbps
    I have mine set to a custom pass phrase key.
    When I used the WLAN scan on the handset, it found my wireless network very easy then all I had to do was select it then enter the pass phrase key. When I first started my Nokia PC Suite, my router said there was a conflict and placed my N96 with DMOZ Enabled. A quick reboot of the phone then everything working fine.
    I have a BT2700HGV router.
    Hope this is of some help to you

  • Mountain Lion won't connect to WPA-Enterprise

    Configuration: Macbook Pro (8,2) running OS X 10.8.3.
    My office's "IT Guy" changed our Wifi network recently, with the surprise side effect that the Mac users are now offline, including me.  The odd thing is that my iPhone connects very nicely, as does my Windows (Bootcamp).  When I'm booted into Windows and connected, here is the information I can glean from the network manager:
    Security Type: WPA-Enterprise
    Encryption Type: TKIP
    NW Authentication Method: PEIP
    He suggested I buy a little USB stick that would connect me, but that is over my "lame-ness" limit.  The fact that the iPhone can connect but the Macbook can't is a little worrisome.  Do I have any hope, assuming that firing the IT Guy and buying the USB stick are both off limits?

    I had a similar situation happen to me today. Connecting to an Enterprise WPA2 network, and it authenticated correctly via PEAP (MSCHAPv2) but still would not show a good Connected status.
    What seemed to work was to go into Network preferences, click the Advanced button, Select TCP/IP tab, and click Renew DHCP Lease.
    Not sure why the MacBook did not connect, while the iPhone did, but this seemed to give the connection a good Connected status and the exclamation point on the WiFi network went away.
    And it's been 15 minute and the user has not come back to bug me again!

  • Does the iPhone support WPA Enterprise?

    Hi,
    I'm really keen to purchase an iPhone when they appear over here in the UK.
    We've just rolled out a wireless network here configured to use WPA Enterprise i.e. no WEP. Our baseline config is WPA/TKIP and after that you use EAP-PEAP/MSCHAPV2 or EAP-TTLS/MSCHAP to authenticate using your university userid and password.
    When i was configuring our 802.1X network, the one operating system that beat everything else out there hands down was OS X. It didn't matter if it was wired or wireless, OS X just worked. It was a joy to use ... unlike Windoze.
    I sort of assumed that as the iPhone had OS X in the middle it would have the same capabilities as the desktop systems. However, I've heard a couple of snippets saying that it only supports WEP. Is that the case?
    It would be a major pain in the a**e if it only supported WEP. While I could set up a separate SSID for an iPhone network I'd really really rather not.
    Anyone got any info on the iPhones wireless capabilities?
    TIA
    Alex

    B**r!!!
    oh well, one can only hope that there'll be an upgrade real soon now
    Alex

  • Does WET200 support WPA-Enterprise/TKIP?

    I could not connect a WET200 (newly bought) to our WPA-enterprise/TKIP wireless network.
    Can anyone tell me what was wrong? Does WET200 support WPA-enterprise? Please help!
    Thanks a lot.

    B**r!!!
    oh well, one can only hope that there'll be an upgrade real soon now
    Alex

  • LaserJet CP1525nw & WPA-enterprise

    We bought a LaserJet CP1525nw printer because of its airprint support for printing from our iPads. Our wireless network uses WPA-enterprise security.
     We are unable to connect the printer to the wireless due to the enterprise authentication. ipad is unable to find the printer.
     We need  printing from the iPads, ePrint does not offer.  Any help would be much appreciated. Firmware 20110329.

    Hello,
    If you have not already, I might recommend going here and then looking at the link for iPad printing for ePrint/Airprint or ePrint Home and Biz.  Good Luck!
    http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02784317&tmp_task=useCategory&cc=us&dlc=en&lang...
    I worked for HP but my posts and replies are my own....Thank you!
    *Say thanks by clicking the *Kudos!* which is on the left*
    *Make it easier for other people to find solutions, by marking my answer with (Accept as Solution) if it solves your issue.*

Maybe you are looking for

  • MACBOOK PRO (MAC OS 10.6.8) SHUTS DOWN UNEXPECTEDLY

    As of recently I've had a very serious problem with my MacBook Pro when I've been using Final Cut Pro X. I'm using the computer normally while all of a sudden the screen goes dark and the computer seems to shut down completely. Eventhough I can still

  • Problem in getting complete display in pdf document from spool

    Hi, I have a report1 which calls another report2 in the background. The report2 which is run in the background produces some output and thus generated a spool. Report1 then gets the spool number generated from report2 and converts it to a pdf documen

  • I Keep Receiving The Same Text Messages Multiple Times

    Every single time someone texts me, it doesn't matter who, I will receive the same message from them multiple times. At first I thought it was just them resending their message but I asked and they said no. After a few days it started happening with

  • Incompatible version - this server:6.0.0b2 client:5.1.0]]

    Hi, i have a client running on WLS 5.1, and i have to connect to a server running on WLS 6.0 I got back following error: javax.naming.CommunicationException [Root exception is                                    weblogic.socket.Unrecover ableConnectEx

  • Basic question about Actionscript and symbols

    I like the object oriented features of actionscript (2.0). One thing confuses me tho, namely the combination of symbol classes and constructors. Since symbols can't be instanciated by new SomeMovie(...), but rather has to be created with attachMovie(