Jason, There is an assumption in my answer that I forgot to mention:
One can decrypt the traffic of another user with WPA2-PSK if one knows the passphrase of that particular WPA2-PSK network. This doesn't mean that WPA2-PSK is broken, but that in a large environment where everyone knows the passphrase then the encryption key of a user can be retrieved if the first 4 way hand shake of that user can be captured. (think roaming between APs!). Also, if you do WPA2-PSK rather than WPA2-enterprise ... you cannot do eduroam ;-) Best, Philippe Philippe Hanset www.eduroam.us<http://www.eduroam.us> On Apr 18, 2013, at 10:29 PM, "Becker, Jason" <[email protected]<mailto:[email protected]>> wrote: Thanks Philippe, we currently are using 802.1x and meant to just ask about the psk. Thanks! From: <Hanset>, Philippe C <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Thursday, April 18, 2013 4:28 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Is it possible to crack a WPA2 Enterprise network Jason, Your subject mentions WPA2-enterprise, and the body of your text mentions PSK. If you move your infrastructure to WPA2-PSK, yes if someone watches the 4 way handshake they can get the key between AP and device for all people on the WPA2-PSK network. With WPA2-enterprise it is more complicated since each user has a key per session and you can also change the rekeying interval. There are some papers out there showing that they can crack WPA2-enterprise but it seems like a lot of work Philippe Philippe Hanset www.eduroam.us<http://www.eduroam.us/> On Apr 18, 2013, at 4:22 PM, "Becker, Jason" <[email protected]<mailto:[email protected]>> wrote: We planned to move to a psk ssid but have heard that it is possible to decrypt this traffic if you have the key and watch the 4 way handshake to get the key between the ap and device. Has anyone run into this or been able to do this? ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
