In 2013, Microsoft released a report of a known security vulnerability present within Wi-Fi authentication. The authentication protocol known as PEAP-MSCHAPv2, a widely supported standard, can be exploited to gain user login information from devices which are not properly configured to connect only to trusted RADIUS servers. However, organizations can avoid this issue by configuring devices for Server Certificate Validation or replacing the PEAP-MSCHAPv2 protocol with EAP-TLS.
PEAP-MSCHAPv2 Device Misconfiguration is an Enormous Security Liability
The article describes a potential vulnerable scenario: An attacker can imitate a trusted access point from their own laptop, for instance on a college campus. A student whose device has not been configured properly for the school’s legitimate SSID will connect to the nearby imitation SSID automatically, and will attempt to auto-authenticate with the attacker’s spoofed network. In doing so it sends encrypted packets containing the user’s login information to the attacker’s computer. A well-documented weakness in PEAP-MSCHAPv2’s encryption method allows the attacker to easily decrypt the packets, thereby allowing the attacker to easily acquire the user’s login credentials.
RADIUS Server Certificate Validation
Microsoft provides recommendations to help users secure their devices, and a vital part of the defense relies on the use of server certificate validation. This protocol is active when a user attempts to connect to the network. The authenticating RADIUS server has an identified and trusted certificate issued by a public Certificate Authority or an IT department in the form of a private certificate. Server certificate validation prevents over-the-air credential theft by verifying the RADIUS server possesses the trusted certificate, which confirms that the network is legitimate and will connect the device to the network.
Failure to verify the server certificate leaves users and devices susceptible to Active Directory or LDAP credential theft via a simple Man-in-the-middle-attack. Detailed explanation from Vivek Ramachandran, a world renowned security researcher, can be seen here:
Enforce Server Certificate Validation on Every Device
The process to set up server certificate validation is device-specific and difficult for users to correctly configure on their own. Manual configuration of personal devices presents serious security risks because users tend to skip server certificate validation and accidentally trust rogue networks.
Auto-configuration tools such as JoinNow automate this process for the user and make certain that the device is configured correctly for the secure network. JoinNow correctly configures the device to check for specified certificates to verify that the device is connected to the trusted network. Certificate prompts are imperative in today’s environments when considering how often they are ignored by users, confusing to interpret, and cause serious security issues and help desk tickets if not configured properly.
Replace PEAP-MSCHAPv2 with EAP-TLS
Another option is to stop using PEAP-MSCHAPv2 and replace it with the EAP-TLS authentication protocol. This protocol allows organizations to replace credentials with certificates for network security. With EAP-TLS, the risk of over-the-air credential theft is null because no credentials are sent over-the-air. Certificates are sent through the encrypted EAP tunnel and cannot be intercepted by a MITM attack. Additionally, certificates are tied to the identity of the user and device and cannot be stolen or removed from the device.
EAP-TLS also provides a far superior end-user experience, primarily by eliminating the burdens associated with using passwords. You can eliminate password change policies that reset all network devices and require users to reconnect their many devices. In contrast, certificates are preset to expire after a chosen interval. This timeframe can be as long or short as the organization desires. Devices equipped with certificates also authenticate and connect to the network faster because there are significantly less steps to authenticate a certificate compared to credentials. Some organizations opt to ease the transition to certificate authentication by implementing SecureW2’s simultaneous support for PEAP and EAP-TLS. College of William & Mary chose to enroll all incoming students for certificate-based authentication while phasing out credentials in stages with existing users.
The JoinNow Suite, in addition to many other useful features, can properly configure security essentials, such as server certificate validation, on a wide range of BYOD platforms (Windows, Mac, iOS, Android, Linux, Kindle Fire, and more). Rather than going through a risky and difficult process of manually configuring their personal devices, users can rest assured that they are onboarding in the easiest and most secure manner possible. It also provides a world-class PKI, allowing organizations to easily deploy EAP-TLS certificate-based authentication on their campus.
SecureW2 provides affordable options for protection from credential theft. Inquire about pricing today!
Read the report from Microsoft:
More information regarding the importance of certificate validation: