Well, in a proper deployment, certificates would be marked non-exportable (which makes it incredibly difficult to export them) and additional authorization checks would be in place on the policy server to prevent that certificate from being used with a different device. For faculty and staff, you’d also layer in network-based MFA to occasionally re-validate the user.
EAP-TLS is the safest bet these days. EAP-TTLS and PEAP are far too risky, even for students and especially for faculty and staff. The added benefit of EAP-TLS is the client certificate can also be used to authenticate to web services like your SAML-based SSO provider. Very popular. tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Thomas Carter <[email protected]> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> Date: Wednesday, July 12, 2017 at 1:20 PM To: "[email protected]" <[email protected]> Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment Depending on the setup and purpose, the certs could be exported and shared to people/devices not intended; it may be assumed that will not happen. Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Cappalli, Tim (Aruba Security) Sent: Wednesday, July 12, 2017 10:33 AM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment I’m curious about “…certs may give a false sense of security and identity”. Can you elaborate on that? Tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Thomas Carter <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Wednesday, July 12, 2017 at 11:22 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment We use mac address auth (using Packetfence) for this reason. On-boarding is easy (there’s even a mac self-registration portal for devices that don’t understand the captive portal on connecting) through a captive portal, and the kids are used to captive portals at Starbucks/Target/McDonalds already . We formerly used Bradford Networks (long story, but we had some major issues with them) using a certificate based solution, and our opening of school support has gone from lines out the door of IT to almost nothing. While mac spoofing is a thing, EAP/PEAP/certs may give a false sense of security and identity. In a past life in the corporate world we did a PEAP solution with locked down certificates, but we tightly controlled all the end-points as well (only corporate owned devices allowed on the corp network). Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Tim Tyler Sent: Tuesday, July 11, 2017 10:17 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment I think this is an excellent topic that has made me wonder. Given that so many users don’t secure their radius client profile, I have often thought mac address authentication might be a better option, but it would require a convenient registration method. If someone uses a man in the middle attack against a mac address, the consequences are minimal. If someone does it against usernames and password, they likely will have access to their other accounts as well. If people can on-board a full PEAP with certificate lock down solution, then it is the best. But if many of your clients are not getting the cert loaded and the client dependent on it, then it makes me wonder if mac address authentication isn’t better in the bigger picture of things. I am still using PEAP, but I am constantly thinking about mac address authentication. Tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jonathan Waldrep Sent: Tuesday, July 11, 2017 9:58 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment We acknowledged that many users are going to connect without using an on-boarding tool, and almost no one is going to secure their wireless profile manually. This leaves these users (on *all* platforms) open to a radius impersonation attack. Given this, we require a different password for network access. It's worth making a note of our security and business models (slightly over simplified, but sufficient for this topic). We treat ourselves as an ISP to our users. Everyone gets online with the same level of access. Our systems are secured at the server level. Guests self-register to access the network for a limited time. All this means that getting someone's network credentials means very little. If someone were doing something especially nefarious, using someone else's credentials would make it more difficult for us to find them. However, the attacker doesn't gain access to the compromised user's financial records, email, or anything else. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Mon, Jul 10, 2017 at 8:24 PM, Mike King <[email protected]<mailto:[email protected]>> wrote: Marcelo, If windows 7 is just 4%, what is your highest percentage? Windows 10, or something else? On Mon, Jul 10, 2017 at 5:36 PM, Marcelo Maraboli <[email protected]<mailto:[email protected]>> wrote: Hello David we did this last month and "secured" PEAP by minimizing the risk in Windows 7 clients. We used this guide and it worked very well. http://www.defenceindepth.net/2010/05/attacking-and-securing-peap.html We did not use "step 4" because it didn't leave the user ID in our AAA, they were all "anonymous". We also studied every operating system that connected to our WIFI and found out that Windows-7 is just 4%, so we hope this problem will die on it's own. Windows 10 can use PAP-TTLS, even though that is another deal. hope it helps. best regards, On 7/10/17 3:55 PM, LaPorte, David wrote: I was wondering if anyone has done a risk/benefit assessment of using EAP-PEAP in your environment. If so, would you be willing to share? We have a solid understanding of the security/usability tradeoffs that come with PEAP, but were hoping to not re-invent the wheel :) Thanks, Dave David LaPorte [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/ -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
