Educause Security Discussion mailing list archives

Re: Wireless WPA2 MSCHAPv2

From: Justin Azoff <JAzoff () ALBANY EDU>
Date: Tue, 31 Jul 2012 12:00:08 -0400

On Tue, Jul 31, 2012 at 11:36:46AM -0400, Steve Bohrer wrote:

From http://science.slashdot.org/comments.pl?sid=3014645&cid=40821639 :
"For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a
PEAP (SSL) session. This should be safe as long as your client is
configured to validate the server-side certificate only against CAs
that are not likely to be compromised (i.e. a rougue cert
generated). Preferably, one should also validate the certificate's
subject (usually the name of the RADIUS server)."


AFAIK, if you have people spoofing your SSID and running rogue
authentication servers any weakness in MSCHAPv2 is the least of your
problems..

I still think WPA should have been designed to require the certificate
to match the SSID, not the radius server hostname :-)


-- 
-- Justin Azoff
-- Network Security & Performance Analyst

Current thread:

Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
    - Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Rich Graves (Jul 31)
  - Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)