Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1334
Views
0
Helpful
1
Replies

802.1x BYOD security problem ?

Go to solution
tedauction
Level 1
Level 1

‎11-19-2017 08:27 PM - edited ‎02-21-2020 10:39 AM

Hello, we currently allow BYOD users to authenticate via 802.1x using their AD username/password.

My question is regarding the following scenario:

- our users have no BYOD device on-boarding i.e. all they have been told is to connect to the BYOD SSID and enter username/password to connect. Users receive the certificate trust warning but ignore it because without on-boarding they do not have our root CA public cert installed.

- an attacker sets up a spoofed wifi SSID (same name as our BYOD SSID) with their own Windows RADIUS server.

- users connect to the spoofed wifi SSID and enter username/password. Users receive the normal certificate trust warning and accept it (like they normally do). Users enter username/password and attacker now has their AD credentials.

 

Is this why it is critical to have an on-boarding process for BYOD device users i.e. to install a trusted root CA public cert for our RADIUS server and to configure BYOD devices to only trust our root CA ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2017 12:43 AM

This problem is only showing up when using the same SSID for provisioning and BYOD-access. Yes, there this problem is real and all you could do is educate the users to only accept the "right" certificate that you documented earlier. But in fact, many users will just accept anything.

Your WLAN can still take countermeasures to not allow a rouge AP broadcast the company-used SSID.

Other way to do it: Provision your devices on a guest-SSID that does not use 802.1x. Here the user gets authenticated on the web-portal which can/should use a publicly trusted certificate.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2017 12:43 AM

This problem is only showing up when using the same SSID for provisioning and BYOD-access. Yes, there this problem is real and all you could do is educate the users to only accept the "right" certificate that you documented earlier. But in fact, many users will just accept anything.

Your WLAN can still take countermeasures to not allow a rouge AP broadcast the company-used SSID.

Other way to do it: Provision your devices on a guest-SSID that does not use 802.1x. Here the user gets authenticated on the web-portal which can/should use a publicly trusted certificate.

0 Helpful
Customers Also Viewed These Support Documents