House of Hackers

Anathema`

PEAP security

Building an huge wireless network, it's importat to find a valid and strong authentication method.
Everyone knows how secure is WPA-PSK and this can be a valid choose, but how about PEAP with MSCHAPv2 ?
Anyone knows its strength, weakness and a valid implementation?

Tags: authentication, mschapv2, peap, wifi, wireless, wpa

Share

Reply to This

Replies to This Discussion

Mark Permalink Reply by Mark on May 26, 2008 at 7:43pm
Personally i'd go for a GSM dial in server with a VPN. You could use WPA but if the budget is enough and the information is very sensitive I wouldn't go with a 802.11 network.

Reply to This

Anathema` Permalink Reply by Anathema` on May 26, 2008 at 9:47pm
Why you don't even use 802.11 network security ? I think this is the way. I don't know the WiMax situation in other country, but it can be interesting knows how it works. In this case how authentication and security methodologies was taken?
In some university and companies I've see and listen about PEAP auth, but I've no idea what is its weakness. It should be strong as other WPA2 method but hey, I'm here to know something more about :)

Reply to This

Mark Permalink Reply by Mark on May 26, 2008 at 10:23pm
On 802.11 wifi I use WPA2 but due to my paranoia about knowing too much about wifi security I use a 3G hsdpa to do other stuff such as online auction sites and banking.
I dont know a great deal about 802.16 WiMAX setup other than it using WPA2 based RC4 encryption and due to it being unavailible here apart from the huge antenna at the top of my road. I know its there but cant use it.

My idea was to have each client equipt with a gsm/hspda modem and connect either to the internet then to the VPN or using just gsm they can dial-in to the server. Again, this is all driven by my paranoia.

Reply to This

randomb Permalink Reply by randomb on May 26, 2008 at 10:10pm
well,

to throw in my dime here id say..

either you go for WPA2 (using Radios authentication) even with a multiple layer of VPN or maybe some other part of a single-signon system..

ive used that for +1.000 users wireless system

But then again depends on how sensitive information this network is going to transport.

Reply to This

Anathema` Permalink Reply by Anathema` on May 28, 2008 at 6:39am
I think all the information passing trought a network is sensitive. So, VPN or WPA2 Radius authentication can be a valid alternative.
But my question is about PEAP :)

Reply to This

Wifi Ninja Permalink Reply by Wifi Ninja on June 4, 2008 at 11:22pm
PEAP (Protected Extensible Authentication Protocol ) my Ass, but thats my I am a EAP-TLS fan

DO NOT USE PEAP with Passwords, Period you will be HACKED,
MSChapv2 was broken Long long ago, sicking it inside a tunnel, do not fix it, its still broken

Also if you use Windows it use Peap version 0, so transmit your User Name in the CLEAR
Other supplicates( no remeber that $100 per PC now) can Mask the Username


Use Something Like GTC (Tokens yeah 2 Factor is better)

DO no use PSK, be a real Wifi person, use 802.1x -Radius support so you can extend the Vlans to the Clients, not stop at the APs

Also deploy a good PKI system, that has been tested and audited. ($$$$)

Now you can role out PEAP.

Oh may sure you ONLY use 1 type of Authentication, no WPA-2, WEP, open crap

And leave the Guest Network your thinking about alone, it will cause you more headaches


Wifi for fun and Pleasure
:)

Reply to This

Anathema` Permalink Reply by Anathema` on June 6, 2008 at 11:12pm
Thanks Wifi Ninja, now I've the right idea.
Googling I haven't found how and why MSCHAPv2 is broken: what is its vuln ?
Unfortunatly, you're right: a lots of mixed implementation with both linux and windows I've seen use PEAP version and label 0. Why this is crappy?
Have you a reference to know more ?

Reply to This

Wifi Ninja Permalink Reply by Wifi Ninja on June 8, 2008 at 12:22am
Ok for MS-CHAPv2
http://www.schneier.com/paper-pptpv2.html
This is a paper on pptp and Mschap done by Mudge (l0pht fame) and Bruce Schneier

Done many Years ago
Biggest issue is Rollback to V1

Peap Info

PEAP is a two phase protocol. The first phase
establishes a TLS tunnel (very similar to the way that an SSL tunnel is
built with a web server). The second phase carries another EAP
conversation inside the tunnel.

What Happens when you donot do the Certificate Right

Cisco IP Phone 7921 Insecure PEAP Implementation
http://blogs.zdnet.com/security/?p=896
http://blogs.zdnet.com/security/?p=901



For the inner part of the authentication, is MS-CHAPv2 is secure. In order for
MS-CHAPv2 to work successfully, you need to store your password in one
of three different formats.
1. MS-CHAPv1 format.
2. Reversably encrypted.
3. Cleartext.

PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions.

Microsoft only supported the PEAPv0 standard while Cisco supported both PEAPv0 and PEAPv1

Main issue is version is designed to do both Machine and Users, and most configurations are User Only, so you send your UserName in the Clear when creating the Tunnel

If you Doing PEAP, I would suggest this Book, its a PEAP Deployment Bible

http://www.microsoft.com/MSPress/books/6749.aspx
Deploying Secure 802.11 Wireless Networks with Microsoft® Windows®
No longer sold, but maybe you can find it, its a great guide, as alot of things pop up in the directory space this book works with.

Reply to This

v0rex Permalink Reply by v0rex on June 7, 2008 at 6:08am
Just want to want to bump Wifi's ninja's comment. You can also look into TTLS-PAP. From what I've seen, that works really well as well.

Reply to This

Wifi Ninja Permalink Reply by Wifi Ninja on June 7, 2008 at 11:46pm
TTLS is good with all the items, but make sure you take care of the Server Certificates ( have to do the clients config, to ONLY trust and Validate the correct Cert. otherwise its the "Sideways Attack" like all the others

Reply to This

clez Permalink Reply by clez on June 8, 2008 at 1:11am
For a huge wireless network, don't use WPA-PSK, better max out EAP extensions under WPA2+RADIUS when the breaking times begin to shrink ;)

One drawback of WPA2 is, that a certain amount of "usual" Windows XP clients tend to have problems with WPA2/AES, possibly increasing your support costs.
So maybe you'll have to stick to AES+TKIP at first...

Reply to This

Wifi Ninja Permalink Reply by Wifi Ninja on June 9, 2008 at 1:05pm
Great point, the only thing you can find in the WPA2 support,is to know every device and all drivers. Almost impossible but a guess is that Most Newer Devices do support it and have for about 2 years now.

No 802.11b ONLY clients will support WPA2-AES
Some 802.11g clients will
802.11a dont get me started on mix use and how to loadbalance a and g but its about the same as 802.11g

Reply to This

RSS

About

pdp pdp created this Ning Network.

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!