Hacker News new | past | comments | ask | show | jobs | submit login

I thought enterprise was even more fucked thanks to the horror that is MSCHAPv2 and that no one bothers to setup the PKI stuff to authenticate the APs.



In WPA-EAP the AP is not active part of the authentication flow (it only forwards the frames) and as such does not directly authenticate itself to the client (it happens indirectly by the fact that it can forward the frames).

The configuration space of WPA-EAP is huge and most combinations are horribly insecure, but as long as you stick with one of the "tunnel everything through TLS" EAPs (EAP-TTLS or PEAP) the result is safe against passive attackers even when you don't verify server certificates (obviously you should verify the certificates, because the active attack is trivial and does not have to interact with your network).


This is the model for "Eduroam" (Academics and students at various educational institutions, particularly in Europe but these days around the world have a single network). Each device is configured with certs for their home institution, their username lets any member figure out where that home institution is, and so their password or other authentication flows only to an IdP for that institution, which under the Eduroam agreement is trusted to authenticate them at all other member institutions.

So you set up "eduroam" once on your phone, and then it works the same in a lecture theatre at Stanford, or in Nantes (France). So that's nice, and as dfox observes the AP isn't much involved, so the inevitable frailty of individual WiFi setups in less sophisticated institutions isn't a huge flaw in Eduroam or a grave risk for your home institution.


How would one setup the certificates in a right way? I presume that needs MDM anyways to conveniently distribute the certificates?


You can do it without MDM, just distribute via an https webpage. Most universities do this, because it is 90% byod or guest access (you can only be enrolled in one MDM).


So guests coming to your home would need to first download certificates in order to be able to trust your network. But they would then need to trust that certificate not to be used to MITM their own EAP servers... This doesn’t sound very user friendly. Am I missing something?


Certificates, not CAs.


Right. Of course.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: