Menu
What's new
By:
Filters Better Search

Is WPA-Enterprise and PEAP secure when using shared username and password?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

N

ndrp

Occasional Visitor
I have been using WPA-Personal PSK. SSID and pre shared key are same so connecting to network is easy. I know that in this way clients can connect to rogue access points and other user can decrypt data if they capture packets when client is connecting to access point.

I'm planning to use two SSIDs. One is open and one using PEAP.

If I use PEAP and SSID, username and password are same is network secure? Can users decrypt eachother's traffic?
 
WPA2-PSK (or Enterprise) encrypts each clients wireless link...

At the 100,000 foot view - If Alice and Bob are on the same BSS, and have a shared key, Alice cannot capture Bob's packets and decrypt them.

So as long as you have a good passphrase, you're good to go...
 
sfx2000 said:
WPA2-PSK (or Enterprise) encrypts each clients wireless link...

At the 100,000 foot view - If Alice and Bob are on the same BSS, and have a shared key, Alice cannot capture Bob's packets and decrypt them.

So as long as you have a good passphrase, you're good to go...
Click to expand...

I mean that passphrase is known to everybody. Alice and Bob know the key and they can capture each other's packets and decrypt them. I have not tried that myself but it can be done by Wireshark.
https://wiki.wireshark.org/HowToDecrypt802.11
http://www.lovemytool.com/blog/2010...ypt-sample-capture-file-by-joke-snelders.html

That Wireshark wiki says:
WPA/WPA2 Enterprise/Rekeys
As long as you can somehow extract the PMK from either the client or the Radius Server and configure the key (as PSK) all supported Wireshark versions will decode the traffic just fine up to the first eapol rekey.
Eapol rekey is often enabled for WPA/WPA2 enterprise and will change the used encryption key similar to the procedure for the initial connect, but it can also be configured and used for pre-shared (personal) mode. Wireshark 2.x (RC versions should work) is needed if you want decode packets after a rekey.

If I'm using WPA2 Enterprised (PEAP) and username and password are known to everybody, can Alice discover Bob's PMK and decrypt traffic?
 
ndrp said:
If I'm using WPA2 Enterprised (PEAP) and username and password are known to everybody, can Alice discover Bob's PMK and decrypt traffic?
Click to expand...

As long as Alice and Bob have unique accounts on the authentication server, Alice will not be able to decrypt Bob's packets with WPA2-Enterprise.

The comment about rekeying the EAPOL key is relevant, as most consumer AP's will roll the keys on a periodic basis as a default.

In any event, the PMK is the key concern (pardon the pun) with WPA2-PSK, so it's important to protect it.

Keep in mind that PEAP support it spotty with native OS supplicants, Windows is a good example as the native implementation only supports MS-CHAPv2, which has been totally broken.

Might consider using EAP-TLS as an alternative... even though it's a pain with the certs...
 
sfx2000 said:
As long as Alice and Bob have unique accounts on the authentication server, Alice will not be able to decrypt Bob's packets with WPA2-Enterprise.
Click to expand...

In my case Alice and Bob are using same account on the authentication server. So can they get same PMK or is PMK always different?

What I'm trying to have is a secure alternative to open network by using account guest/guest.


sfx2000 said:
Keep in mind that PEAP support it spotty with native OS supplicants, Windows is a good example as the native implementation only supports MS-CHAPv2, which has been totally broken.
Click to expand...

Does this matter if there is no access to wired network so nobody can capture MS-CHAPv2 packets?
 
Maybe take a quick step back... what exactly are you trying to do?

WPA2-PSK (Personal) - there are only two users - those with the PSK, and those who don't - those with the PSK get access, those who don't get denied - there are no user accounts associated with WPA2-PSK

WPA2-Enterprise assumes that there is an authentication center with User Accounts - each usually having a user name and some type of password that is associated with a trusted source (LDAP, etc...)

Basically, one doesn't want a guest to authenticate against an AC - either they're trusted or they are not, and if they're not trusted, normally they'll get a treatment at the 802.1x layer - e.g. untrusted access is either denied, or is shunted off to a VLAN at 802 layer...

This is what happens with Guest Network's on consumer grade gear, even with WPA2-PSK or Open - the guest SSID denies access to the trusted part of the network.

So either you trust or you don't...

With a Guest Network, push them off to a Guest SSID, use WPA2-PSK, enable AP isolation, and a short rekey interval - say 600 seconds - this is my preferred way to handle guests on consumer grade gear, and is a better approach than open wifi with a captive portal...
 
What I want is this (two SSIDs):

1) wifi_open - open wifi with no security, no captive portal
2) wifi_secure - WPA2-Enterprise security, account guest/guest

2) is for those who want secure connection. I'm not sure if network 2) is secure because everyone is using same username ja password. I would like know if it is secure or not.

My first choice for wifi_secure network was WPA2-PSK (passphrase guest) but because WPA2-PSK is not secure it can not be used.

wifi_open guarantees that everybody can access to network. There is devices that don't support WPA2-Enterprise.

sfx2000 said:
With a Guest Network, push them off to a Guest SSID, use WPA2-PSK, enable AP isolation, and a short rekey interval - say 600 seconds - this is my preferred way to handle guests on consumer grade gear, and is a better approach than open wifi with a captive portal...
Click to expand...

This is semisecure way. Alice can decrypt Bob's packets. I don't know what happens after rekeying. If it happens similar to the procedure for the initial connect, I could imagine that it is not impossible to find the new key.

There is now way to prevent clients connecting to rogue access points if rogue access points use wifi_secure SSID and guest passphrase.
 
Last edited:
ndrp said:
What I want is this:

1) wifi_open - open wifi with no security
2) wifi_secure - WPA2-Enterprise security, account guest/guest

2) is for those who want secure connection. I'm not sure if network 2) is secure because everyone is using same username ja password. I would like know if it is secure or not.
Click to expand...

You'll need more than just the AP settings - you'll need to set up account based policies on the 802.1x/802.3 layer for Portbased Network Access Control - if you set up a Radius Server and the appropriate policies, something like this can be done, but that's outside of the AP's scope.

In any event, with WPA2-Enterprise, you don't want to share accounts across different users (e.g. Alice and Bob having the exactly same credentials)...

My first choice for wifi_secure network was WPA2-PSK (passphrase guest) but because WPA2-PSK is not secure it can not be used.
Click to expand...

Why can it not be? WPA2-PSK is more than secure enough for 99 percent of the SOHO market - it's not secure enough perhaps for the enterprise...

wifi_open guarantees that everybody can access to network.
Click to expand...

Which goes back to that issue I raised earlier about trust in general...

There is devices that don't support WPA2-Enterprise.
Click to expand...

There are devices that don't even support WPA2 in general... but if you deploy WPA2-Enterprise, then any device that attempts to connect to that SSID MUST support WPA2-Enterprise, otherwise they will fail...

In any event, you'd have to deploy an AP that supports multiple SSID's - one for Open, one for WPA2-PSK, and one for WPA2-Enterprise.

On top of that, an authentication center (e.g. RADIUS or similar), define policies for the accounts, and a base level of auth for Enterprise at the 802.1x layer - e.g. how to configure the supplicants (PEAP-MSCHAPv2, EAP-TLS, etc..)

This is semisecure way. Alice can decrypt Bob's packets. I don't know what happens after rekeying. If it happens similar to the procedure for the initial connect, I could imagine that it is not impossible to find the new key.
Click to expand...

That's why it is always important to protect access information in general - WPA2-Enterprise assumes that there is a trust relationship between you, Alice, and Bob - properly done, Alice can't decrypt Bob's packets in a WPA2-Enterprise config...

Another way of looking at it though - Alice has two machines - laptop and tablet, she can use both, and with WPA2-Enterprise, both machines and the 802.11 frames are secure from each other.

There is now way to prevent clients connecting to rogue access points if rogue access points use wifi_secure SSID and guest passphrase.
Click to expand...

Actually there is - with port based network access control, the Rouge AP can't attach to the LAN period... assuming of course you've properly deployed 802.1x with a Layer 3 managed switch - and then you'd still have a fair amount of flexibility with rules and policies..
 
I installed FreeRADIUS and tested guest/guest account from Windows laptop. I don't want to maintain separate server so I will buy one access point which support radius server like ZyXEL NWA3160.

sfx2000 said:
Another way of looking at it though - Alice has two machines - laptop and tablet, she can use both, and with WPA2-Enterprise, both machines and the 802.11 frames are secure from each other.
Click to expand...

This was the information that I needed. So SSID wifi_secure with WPA2-Enterprise security and account guest/guest it will be. That's the only account. It's all about encrypting the traffic in the air. Like open wireless network that use encryption.

All users are trusted and treated equally. User can choose whether wifi_open or wifi_secure.
 
You must log in or register to reply here.

Similar threads

A
SSH by Authorized Keys without username and password Asus Router
Replies
10
Views
4K
Jeffrey Young
J
J
Update Username/Password in ASUS Router App After changing these remotely by VPN
Replies
3
Views
2K
iFrogMac
I
M
Dual WAN - load balancing multiple SSIDs with failover but also routing certain devices over specific WAN
Replies
5
Views
175
MimiC808
M
D
Modem loses connection when gaming with rt-ax3000 v2
Replies
17
Views
2K
Deleted member 89206
D
S
Wireguard Server and Pre Shared Key (Toggle)
Replies
0
Views
1K
synergyme
S

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 562 (members: 19, guests: 543)
Top