We acknowledged that many users are going to connect without using an on-boarding tool, and almost no one is going to secure their wireless profile manually. This leaves these users (on *all* platforms) open to a radius impersonation attack. Given this, we require a different password for network access.
It's worth making a note of our security and business models (slightly over simplified, but sufficient for this topic). We treat ourselves as an ISP to our users. Everyone gets online with the same level of access. Our systems are secured at the server level. Guests self-register to access the network for a limited time. All this means that getting someone's network credentials means very little. If someone were doing something especially nefarious, using someone else's credentials would make it more difficult for us to find them. However, the attacker doesn't gain access to the compromised user's financial records, email, or anything else. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Mon, Jul 10, 2017 at 8:24 PM, Mike King <[email protected]> wrote: > Marcelo, > > If windows 7 is just 4%, what is your highest percentage? Windows 10, or > something else? > > On Mon, Jul 10, 2017 at 5:36 PM, Marcelo Maraboli <[email protected]> > wrote: > >> Hello David >> >> we did this last month and "secured" PEAP by minimizing the risk in >> Windows 7 clients. >> >> We used this guide and it worked very well. >> http://www.defenceindepth.net/2010/05/attacking-and-securing-peap.html >> >> We did not use "step 4" because it didn't leave the user ID in our AAA, >> they were all "anonymous". >> >> We also studied every operating system that connected to our WIFI and >> found out that Windows-7 is just 4%, so we hope this problem will die on >> it's own. Windows 10 can use PAP-TTLS, even though that is another deal. >> >> >> hope it helps. >> >> >> best regards, >> >> >> >> On 7/10/17 3:55 PM, LaPorte, David wrote: >> >> I was wondering if anyone has done a risk/benefit assessment of using >> EAP-PEAP in your environment. If so, would you be willing to share? We >> have a solid understanding of the security/usability tradeoffs that come >> with PEAP, but were hoping to not re-invent the wheel :) >> >> Thanks, >> Dave >> >> David [email protected] >> >> >> >> >> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/discuss. >> >> >> >> -- >> *Marcelo Maraboli Rosselott* >> Subdirector de Redes y Seguridad >> Dirección de Informática >> Pontificia Universidad Católica de Chile >> http://informatica.uc.cl/ >> -- >> Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul >> Santiago, Chile >> Teléfono: (56) 22354 1341 >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/discuss. >> >> > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
