In addition, if you are using WPA2-Enterprise, you need to decrypt the AES encrypted stream before you get to PEAP (You should not be using TKIP).
Just because MS-CHAPv2 VPNs are broken does not mean that WPA2-Enterprise is broken. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -----Original Message----- From: Christopher Wieringa [mailto:cwier...@calvin.edu] Sent: Wednesday, August 01, 2012 8:56 AM Subject: Re: MS-CHAPv2 cracks for WPA2-Enterprise? It is possibly to do WPA2-Enterprise with only EAP-MSCHAPv2 authentication, and this is what would be considered completely vulnerable now. Don't do this anymore if you are doing it. AFAIK, if you are using WPA2-Enterprise with PEAP/EAP-MSCHAPv2 you should still be fine. While you could break the EAP-MSCHAPv2 authentication, you can only do it if you can decrypt the PEAP tunnel. The PEAP tunnel is a TLS tunnel; so it is important to make sure wireless clients specify which certificate authorities they trust for the PEAP tunnel and verify the presented server's certificate. At that point you can be reasonably sure that your traffic is not being intercepted and decrypted with a fake certificate and that your EAP-MSCHAPv2 conversation has not been intercepted. Chris Wieringa >>> On 7/30/2012 at 5:19 PM, Kees Pronk <cl.pr...@avans.nl> wrote: > Hi Steve, > > In the answers on mentioned article the comment by Yuhong "This only > affects WPA-Enterprise with PEAP-MSCHAPv2, and can be stopped by > verifying the certificate" > is imho correct. But I will keep a close watch on the several Wi-Fi > blogs to make sure. > See also chapter 4 page 132 of the CWSP official study guide (highly > recommended). > > BR, Kees Pronk > > > Netwerk admin & engineer > > Avans Hogeschool > Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer > > Bezoekadres: > Hogeschoollaan 1, Kamer HG204 > 4818 CR Breda > > Postadres: > Postbus 90116 > 4800 RA Breda > > E: cl.pr...@avans.nl > T: 076-5238054 > > >>>> Steve Bohrer <skboh...@simons-rock.edu> 7/30/2012 10:45 >>> > I'm hoping that people with crypto-clue can comment on the the > recently introduced ChapCrack tool with respect to 802.1x WPA2- > Enterprise wifi using PEAP/MS-CHAPv2. So far all I've found is > "magazine level" references, e.g.: > > http://news.cnet.com/8301-1009_3-57481855-83/tools-boast-easy-cracking > -of-microsof > t-crypto-for-businesses/ > > The vulnerabilities seem to be with MS-CHAPv2 on Microsoft's PPTP > VPNs, but the articles also mention WPA2-Enterprise wireless. Do these > tools work against PEAP/MS-CHAPv2 as well as against PPTP > implementations? (That is, I don't really know how PEAP is similar/ > dissimilar to PPTP.) > > As it happens, until very recently we were using TTLS/PAP for our > 802.1x authentication, but it is a pain for users to initially > connect: On Windows, they have to install the SecureW2 supplicant, and > Mac/iPhone/iEtc devices need to install a custom wireless config file > (or, on older Macs, specify the 802.1x configuration manually). > > We've just added support for PEAP/MS-CHAP, which is much easier for > users in that it pretty much "just works": you enter your username and > password, and accept our RADIUS server's certificate, and you are on. > > It would be a drag if we just swapped to a much more vulnerable > protocol. Thanks for any clarifications you can offer. > > Steve Bohrer > Network Admin > Bard College at Simon's Rock > 413-528-7645 > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ---------------------------------------------------------------------- > ----- Op deze e-mail zijn de volgende voorwaarden van toepassing: > The following conditions apply to this e-mail: > http://emaildisclaimer.avans.nl > ---------------------------------------------------------------------- > ----- > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. -- -- Chris Wieringa cwier...@calvin.edu Sr. Systems Engineer Calvin Information Technology ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
