Solved: eapol logoff spoofing

vanbon · ‎09-03-2004

Hi,

Microsoft 802.1x supplicants do not send a EAPOL logoff because Microsoft does not trust logoff packets. These packets can not be authenticated and can be easily spoofed. Microsoft states that a 802.1x authenticator should not respond to EAPOL logoff packets.

Does anyone known if Cisco switches (and access points) respond to the EAPOL logoff packets ?

And can we prevent spoofing these packets in a network with Cisco 802.1x switches ?

Kind Regards,

Gerard van Bon

jafrazie · ‎09-03-2004

Cisco switches take action on EAPOL-Logoff frames as defined by 802.1x as the transmission of them is perfectly valid.

In wireless deployments, the failure to encrypt EAPOL may render it vulnerable to spoofing alone due the the inherent shared media type (which is why 802.1x is part of WPA and why 802.1x can use it to assume an association to any device on the media has already taken place).

In wired deployments this is not as much of a concern, since wire-tapping would then be the least common denominator (or attack vector).

So, it's dependent on the supplicant implementation.

Hope this helps.

View solution in original post

jafrazie · ‎09-03-2004

Cisco switches take action on EAPOL-Logoff frames as defined by 802.1x as the transmission of them is perfectly valid.

In wireless deployments, the failure to encrypt EAPOL may render it vulnerable to spoofing alone due the the inherent shared media type (which is why 802.1x is part of WPA and why 802.1x can use it to assume an association to any device on the media has already taken place).

In wired deployments this is not as much of a concern, since wire-tapping would then be the least common denominator (or attack vector).

So, it's dependent on the supplicant implementation.

Hope this helps.

vanbon · ‎09-03-2004

Hi Jason,

Thanks for the reply. I forgot that in wireless the EAPOL logoff is encrypted (WEP).

And in a wired network I do not see it as a problem.

Regards, Gerard