Wireless 802.1X Fun Times

Started by deanwebb, July 09, 2015, 11:39:51 PM

Previous topic - Next topic

deanwebb

OK, so I was exaggerating. It *is* weaker than EAP-TLS, and I really consider EAP-TLS to be the only security worth doing on a wireless network that you want to keep secure.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

I agree, there's no other method that can revoke a client, or authenticate the client

SimonV

Quote from: wintermute000 on October 06, 2015, 09:09:24 PM
I agree, there's no other method that can revoke a client, or authenticate the client

If you're using PEAP with AD-based policies on the NPS/ACS you can just disable the user or computer account, no?

wintermute000

#18
Poor phrasing, I meant a client device.


protip: EAP-TLS documentation is.... horrific, at least for my levels of google-fu. Compared to reading about routing protocols, the info is all over the place, often ambiguously referencing MS screenshots. Took me half an hour to come to the conclusion that yes, you CAN auth BOTH machine and user certs. However, I can't find the answer to this - can you combine user/pass with a machine cert? Or is that PEAP (user/passs) with EAP-TLS (machine cert) chaining? Or just f--k it and join the queue of people asking our overworked resident wireless guru stupid questions?








deanwebb

Both user and machine can be used, but the 802.1X policy must be written to specify each choice. The certs can be ones that one must first sign into - which involves a local machine logon - but no connection to the wireless will be permitted until that user has signed on to his/her certificate. This wouldn't be cert chaining, but instead requiring that a cert not be offered up until the cert store is active and logged into.

Our firm wants to have wireless come up as the device boots, so we reference a non-interactive cert in our 802.1X wireless logon. However, our VPN requires a cert that involves a logon to the local cert store to activate.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

 Thanks. I know the difference between user and machine but do you have any links re which certs you need to sign into and which don't . Is it machine doesn't require sign in?

deanwebb

Both kinds can be ones that don't have a sign in. If a cert is used for signing documents or secure emails, they are set to require a user sign-in to activate the cert store, and then possibly a second (redundant) sign-in to activate a cert at the time of usage.

Signing cert description: http://www.entrust.com/pdf-signing-certificates/
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.