cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
2
Replies

Wifi with Radius authentication - security dilemma

llitteamll
Level 1
Level 1

Hello all!

We just had a discussion in our team and we are concerned about our security posture with wifi design.

To resume,

We have Cisco access points streaming “corporate” SSID around the offices.

This is an open wifi network with radius authentication which is forward to a radius server with a certificate.

Employees need to be in a wifi group in radius server in order to be able to authenticate to the network.

Employees are using this network with their credentials to authenticate and access corporate network.

 

With having this in mind, one of our colleagues presented this scenario;

An attacker could create a malicious “corporate” SSID with a malicious radius server, sit down in one nearby cafeteria and wait until one of our users connects its machine to the fake network. User will be prompt for radius username and password and this information will be captured by the attacker. The attacker will authenticate the user with any radius credentials and proxy it to the internet.

User will not notice any difference in authentication between the legit “corporate” network and a malicious one.

 

Can you confirm this would be the case and if so, this would be a security risk for us or are additional security layers we have missed here?

 

Can credentials be sent unencrypted in case of attacker scenario? would he really end with clear type passwords? or would he end up with hashed credentials in his malicious radius database?

 

Also, we are not using certificates yet and looking to implement them on our corporate machines, would this be sufficient with current radius auth to prevent the above scenario, in case we are exposed?

Ultimately, what additional steps or security layers would you be able to suggest?

2 Replies 2

Sandeep Choudhary
VIP Alumni
VIP Alumni

It can be.

 

I owuld recommand to use certifiacte based authentication means use EAP-TLS instead of PEAP.

 

Regards

Dont forget to rate helpfl posts

patoberli
VIP Alumni
VIP Alumni
Use WPA2-Enterprise with PEAP MS-Chapv2, if you want to go the username/password road. Then make sure that the radius server is using a correctly signed certificate for the PEAP connection and define that in the group policy, including the server name, for the ssid configuration.
Of course, you need to train your users to never click on Accept if a new certificate is shown by the OS for the connection.
Not perfect at all. Now if you have fully managed devices and no mobile phones and such (although it's also possible to use them), better do EAP-TLS.
Review Cisco Networking for a $25 gift card