Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
How secure is your WPA2-Enterprise WLAN?
If you let your client’s control their supplicant, you have NO control...
When you deploy your WLAN, with the advent of changes in standards for 802.11n/ac, you have effectively three modes you can support and still be granted WiFi Alliance certification.
When possible, it is recommended to always use WPA2-ENT on all of the devices that can support it, falling back to PSK as a last resort and utilize Open only for “guest” networks (although we’re seeing a trend to deploy PSK or other options for guest networks as well).
Once you’ve decided to leverage WPA2-ENT, you have a few choices for an inner EAP-type. Microsoft clients (as well as MAC and most Linux distributions) support PEAP/MS-CHAPv2, as well as EAP-TLS out of the box. It is estimated that 85% of deployments are EAP-PEAP/MS-CHAPv2, with the majority of the remainder EAP-TLS. (There are other methods such as EAP-FAST and EAP-GTC, but they comprise a very small share of the real world deployments.)
So why does any customer choose to deploy EAP-PEAP/MS-CHAPv2?
Because it is the easiest to deploy and only requires the installation of a certificate on the RADIUS server. EAP-TLS requires a certificate on the client, as well as on the RADIUS server and thus EAP-PEAP/MS-CHAPv2 is the simplest path (and if deployed properly, it is on par with EAP-TLS from a security perspective).
The big caveat in that last statement is “if deployed properly”.
In order to secure the “username/password” exchange between your AP/WLC and the RADIUS server, there is a TLS tunnel (think secured SSL/HTTPS tunnel) built between the client and authenticator to “secure” that data. There is a checkbox in the client that effectively wipes out any security gains and today, we still find deployed networks without “server certificate validation”.
This checkbox when unchecked essentially says “exchange my credentials with any server, regardless of its name, certificate signer or any other validation”. If this sounds like a bad, bad idea, you are correct! Now here is why.
Any hacker can then build (for the cost of a Raspberry Pi at approximately $30) a Kali Linux server running hostapd-wpe (Wireless Pwnage Edition) and collect your credentials. They simply masquerade their Raspberry Pi as your corporate ESSID and start gathering data from clients that do not perform certificate validation. There is even a WRT-DD distribution that can run on Linksys Router/APs as well…
What they collect may only be MS-CHAPv2 hashes, but services like “CloudCracker” will brute force any collected password for $100 (generally in less than 24 hours).
So how do you resolve this?
Let us know what you need, and we will have an Optiv professional contact you shortly.