Answer

Is 802.1X authentication good enough for WLAN access control?

Lisa A. Phifer, Wireless Expert

I heard about a new attack on Wi-Fi presented at DEFCON this summer: ChapCrack. Should I stop using 802.1X authentication with challenge handshake authentication protocol (CHAP) passwords for enterprise WLAN authentication and access control?

    Requires Free Membership to View

Definitely don't stop using 802.1X authentication methods for WLAN users. 802.1X continues to provide the most robust and granular method of access control for enterprise WLANs and is flexible enough to be used by many authentication methods, including MS-CHAPv2 password hashes targeted by ChapCrack.

Read more of Lisa's advice

How the 802.11ac standard impacts security

Obtaining wireless access control for personal devices

Elements to consider when creating a Wi-Fi policy

The attack presented at DEFCON applied cloud computing and a somewhat more effective cracking technique to exploit MS-CHAPv2 vulnerabilities known since 1999. Back then, MS-CHAPv2 was a popular way to authenticate point-to-point tunneling protocol (PPTP) VPN users by password. Despite its vulnerabilities, MS-CHAPv2 has continued to be used in other security protocols because password authentication is just so darn convenient. However, newer protocols such as 802.1X Protected EAP (PEAP) compensate by sending MS-CHAPv2 through a TLS-encrypted tunnel. So long as those tunnels are used correctly, attackers can't intercept MS-CHAPv2 handshakes to crack passwords, making both old CHAP crackers and the new ChapCrack irrelevant to Wi-Fi security.

However, if your WLAN currently supports Wi-Fi client password authentication via MS-CHAPv2 (e.g., PEAP/MS-CHAPv2 and EAP-TTLS/MS-CHAPv2), do make sure that all Wi-Fi clients are configured to validate the server's certificate during 802.1X login. Server cert validation has always been important to stop Wi-Fi clients from connecting to phony APs (aka "evil twins"), but ChapCrack makes that step even more important. Why? If a client connects to an evil twin, the protection afforded by the TLS tunnel is neutralized, exposing MS-CHAPv2 to the attacker. The attacker can then run either old CHAP crackers or the new ChapCrack tool to steal the Wi-Fi client's password. ChapCrack output can even be submitted to CloudCracker (for a fee) to quickly determine any password.

Do you have a question for our experts?

Submit your question directly to our editors at editor@searchnetworking.com.

Ultimately, your best move is to use 802.1X authentication methods with stronger-than-password authentication -- for example, TLS and client-side (user or machine) certificates or EAP-SIM and the subscriber identity module (SIM) embedded in smartphones. But there are many good reasons to stop using passwords for authentication -- for example, passwords can be shared among users, and many passwords are far too easy to guess. The increased risk posed by ChapCrack is just one more good reason to stop using password authentication.

This was first published in November 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: