Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Cappalli, Tim (Aruba Security) 
Well, in a proper deployment, certificates would be marked non-exportable 
(which makes it incredibly difficult to export them) and additional 
authorization checks would be in place on the policy server to prevent that 
certificate from being used with a different device. For faculty and staff, 
you’d also layer in network-based MFA to occasionally re-validate the user.

EAP-TLS is the safest bet these days. EAP-TTLS and PEAP are far too risky, even 
for students and especially for faculty and staff. The added benefit of EAP-TLS 
is the client certificate can also be used to authenticate to web services like 
your SAML-based SSO provider. Very popular.

tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Thomas Carter 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, July 12, 2017 at 1:20 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Thomas Carter 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, July 11, 2017 9:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN]

RE: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Thomas Carter 
Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Thomas Carter 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, July 11, 2017 9:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We acknowledged that many users are going to connect without using an 
on-boarding tool, and almost no one is going to secure their wireless profile 
manually. This leaves these users (on *all* platforms) open to a radius 
impersonation attack. Given this, we require a different password for network 
access.

It's worth making a note of our security and business models (slightly over 
simplified, but sufficient for this topic). We treat ourselves as an ISP to our 
users. Everyone gets online with the same level of access. Our systems are 
secured at the server level. Guests self-register to access the network for a 
limited time.

All this means that getting someone's network credentials means very little. If 
someone were doing something especially nefarious, using someone else's 
credentials would make it more difficult for us to find them. However, the 
attacker doesn't gain access to the compromised user's financial records, 
email, or anything else.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Mon, Jul 10,

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Cappalli, Tim (Aruba Security) 
I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Thomas Carter 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, July 12, 2017 at 11:22 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, July 11, 2017 9:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We acknowledged that many users are going to connect without using an 
on-boarding tool, and almost no one is going to secure their wireless profile 
manually. This leaves these users (on *all* platforms) open to a radius 
impersonation attack. Given this, we require a different password for network 
access.

It's worth making a note of our security and business models (slightly over 
simplified, but sufficient for this topic). We treat ourselves as an ISP to our 
users. Everyone gets online with the same level of access. Our systems are 
secured at the server level. Guests self-register to access the network for a 
limited time.

All this means that getting someone's network credentials means very little. If 
someone were doing something especially nefarious, using someone else's 
credentials would make it more difficult for us to find them. However, the 
attacker doesn't gain access to the compromised user's financial records, 
email, or anything else.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Mon, Jul 10, 2017 at 8:24 PM, Mike King 
> wrote:
Marcelo,

If windows 7 is just 4%, what is your highest percentage?  Windows 10, or 
something else?

On Mon, Jul 10, 2017 at 5:36 PM, Marcelo Maraboli 
> wrote:
Hello David

we did this last month and "secured" PEAP by minimizing the risk in Windows 7 
clients.

We used this guide and it worked very well.
http://www.defenceindepth.net/2010/05/attacking-and-securing-peap.html

We did not use "step 4" because it didn't leave the user ID in our AAA,
they were all "anonymous".

We also studied every operating system that connected to our WIFI and
found out that Windows-7 is just 4%, so we hope this problem will die on
it's own.  Windows 10 can use PAP-TTLS, even though that is another deal.


hope it helps.


best regards,

On 7/10/17

RE: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

2017-07-12 Thread Thomas Carter 
We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in the middle attack 
against a mac address, the consequences are minimal.  If someone does it 
against usernames and password, they likely will have access to their other 
accounts as well.  If people can on-board a full PEAP with certificate lock 
down solution, then it is the best.  But if many of your clients are not 
getting the cert loaded and the client dependent on it, then it makes me wonder 
if mac address authentication isn’t better in the bigger picture of things.
  I am still using PEAP, but I am constantly thinking about mac address 
authentication.
Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, July 11, 2017 9:58 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We acknowledged that many users are going to connect without using an 
on-boarding tool, and almost no one is going to secure their wireless profile 
manually. This leaves these users (on *all* platforms) open to a radius 
impersonation attack. Given this, we require a different password for network 
access.

It's worth making a note of our security and business models (slightly over 
simplified, but sufficient for this topic). We treat ourselves as an ISP to our 
users. Everyone gets online with the same level of access. Our systems are 
secured at the server level. Guests self-register to access the network for a 
limited time.

All this means that getting someone's network credentials means very little. If 
someone were doing something especially nefarious, using someone else's 
credentials would make it more difficult for us to find them. However, the 
attacker doesn't gain access to the compromised user's financial records, 
email, or anything else.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Mon, Jul 10, 2017 at 8:24 PM, Mike King 
> wrote:
Marcelo,

If windows 7 is just 4%, what is your highest percentage?  Windows 10, or 
something else?

On Mon, Jul 10, 2017 at 5:36 PM, Marcelo Maraboli 
> wrote:
Hello David

we did this last month and "secured" PEAP by minimizing the risk in Windows 7 
clients.

We used this guide and it worked very well.
http://www.defenceindepth.net/2010/05/attacking-and-securing-peap.html

We did not use "step 4" because it didn't leave the user ID in our AAA,
they were all "anonymous".

We also studied every operating system that connected to our WIFI and
found out that Windows-7 is just 4%, so we hope this problem will die on
it's own.  Windows 10 can use PAP-TTLS, even though that is another deal.


hope it helps.


best regards,

On 7/10/17 3:55 PM, LaPorte, David wrote:

I was wondering if anyone has done a risk/benefit assessment of using EAP-PEAP 
in your environment.  If so, would you be willing to share?  We have a solid 
understanding of the security/usability tradeoffs that come with PEAP, but were 
hoping to not re-invent the wheel :)



Thanks,

Dave



David LaPorte

david_lapo...@harvard.edu













**

Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at

Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series APs

2017-07-12 Thread Scharloo, Gertjan 
All,

 

We found our client - 2802i AP problem. They are all related to a memory leak 
in the 2802 AP : (This problem has taken us crazy for 6 months!)

 

CSCve55196 COS AP not forwarding DHCP OFFER/ACK on its radio downstream
CSCvd64819 AP-COS drops downstream DHCP; kills wpcpd (reason: OOM); kernel panic
(they will be deduplicated)
CSCvd23175 2800/3800 WCPD memory leak observed

 

And our flash issue is fixed in :

CSCuz47559 error saving config file happens on multiple 2702

 

So version 8.2.154.62 will fix all our issues (and is now available for testing)

Tonight, I will activate this version for 3100 different access point of which 
66x are AP-COS (2802)


I hope our wireless network will become stable again after this upgrade

 

 

Regards

 

Gertjan Scharloo

ICT Consultant

_

 

Universiteit van Amsterdam | Hogeschool van Amsterdam

 

ICT Services

Leeuwenburg | kamer A9.44

Weesperzijde 190 | 1097 DZ Amsterdam

+31 (0)20 525 4885

Mobiel : +31(0) 61013-5880

www.uva.nl

uva.nl/profile/g.scharloo

Beschikbaar : Ma | - | Wo | Do | Vr |

 

 

From: wireless-lan  on behalf of Charles 
Francis 
Reply-To: wireless-lan 
Date: Saturday, 8 July 2017 at 22:29
To: wireless-lan 
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series APs

 

We did have some client disconnect issues on WISM2’s and 5508’s where certain 
client traffic seemed to be blackholed.  The only way to get people working 
again was to associate to a different SSID and then go back.

 

Once we changed our QoS from Platinum or Gold to Silver, the issues seem to 
have subsided.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jason Watts 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, July 6, 2017 at 8:33 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [EXTERNAL] Re: [WIRELESS-LAN] Cisco 3800 Series APs

 

*** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or 
click links from unknown senders or unexpected email. ***

Well that is troubling. We are about to deploy around 200 of them. Is anyone 
else experiencing similar issues to this on 2802's?

-- 
Jason Watts
Pratt Institute, Academic Computing
Senior Network Administrator



 

Sent from my iPhone


On Jul 6, 2017, at 7:23 AM, Scharloo, Gertjan  wrote:

Hi Bryan,

 

The University of Amsterdam and Amsterdam University of Applied Sciences are 
currently using 2802i Access Points since December 1, 2016 to gain experience 
with this new type of Access Point. (Only on the 9th and 10th floors)

 

The access points have been problematic from the start, and still there are 
complaints from end users that we can’t solve or identify properly. The same 
users can work without problems on other floors where we have 2702i Access 
Points stationed in this property.

We are currently dealing with client disconnections on the floors/buildings 
with AP2802i. This disconnection occurs 2-3 hours, sometimes more frequently. 
Many of our clients are effected. Another issue which is subpart of this issue 
is: the clients are connected but there is no traffic flow. These clients have 
laptop from different vendors for example Dell, Apple with different (updated) 
drivers. -The users stay connected but cannot transmit any data. 

 

Two months ago, we have started a new software release 8.2.154.17 and we were 
hoping to fix our client disconnect issue only with the 2802i AP, but the 
problem became worse. We have started a Tac CASE (severity 2)

 

 

Regards

 

Gertjan Scharloo

ICT Consultant

_

 

Universiteit van Amsterdam | Hogeschool van Amsterdam

 

ICT Services

Leeuwenburg | kamer A9.44

Weesperzijde 190 | 1097 DZ Amsterdam

+31 (0)20 525 4885

Mobiel : +31(0) 61013-5880

www.uva.nl

uva.nl/profile/g.scharloo

Beschikbaar : Ma | - | Wo | Do | Vr |

 

 

From: wireless-lan  on behalf of Bryan Ward 

Reply-To: wireless-lan 
Date: Wednesday, 5 July 2017 at 18:07
To: wireless-lan 
Subject: [WIRELESS-LAN] Cisco 3800 Series APs

 

Couldn’t find a recent discussion on the list archives, so I’ll ask my question.

 

For those of you that have Cisco 3800 series APs in production, how have they 
been working for you recently?

We currently purchase 3700 series APs as our standard for new installs and 
replacement of our 3500 series APs, but are now considering switching to the 
3800 series.

I heard there were a lot of issues with them at first, but was wondering if 
they’re still troublesome now that they’ve been out in the wild for some time.

Also, does