Educause Security Discussion mailing list archives
Re: Wireless WPA2 MSCHAPv2
From: Justin Azoff <JAzoff () ALBANY EDU>
Date: Tue, 31 Jul 2012 12:00:08 -0400
On Tue, Jul 31, 2012 at 11:36:46AM -0400, Steve Bohrer wrote:
From http://science.slashdot.org/comments.pl?sid=3014645&cid=40821639 : "For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server)."
AFAIK, if you have people spoofing your SSID and running rogue authentication servers any weakness in MSCHAPv2 is the least of your problems.. I still think WPA should have been designed to require the certificate to match the SSID, not the radius server hostname :-) -- -- Justin Azoff -- Network Security & Performance Analyst
Current thread:
- Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)