WPA-Enterprise: инструкция по выживанию

Статьи У вас WPA Enterprise PEAP/TTLS? Тогда мы уже у вас и Пентест WPA-Enterprise: от теории к практике наглядно показывают наличие проблем с безопасностью WPA-Enterprise и рисуют неприглядную картину окружающей нас реальности. Но о том, как настроить Wi-Fi в организации, чтобы избежать описанных ужасов авторы упоминают кратко и без подробностей. Я буду рассматривать подключение компьютеров домена Active Directory (AD) к Wi-Fi сети при помощи Network Policy Server (NPS). Статья разбита на две части. Теоретическая: общие вопросы, протоколы и их уязвимости, сценарии атак, настройки и особенности их применения. Практическая: производится пошаговая настройка Wi-Fi на базе Active Directory и Network Policy Server. TL;DR : WPA-Enterprise требует обязательного применения и проверки сертификата сервера. Безальтернативно. Без сертификата WPA‑Enterprise становится просто красивой декорацией в театре безопасности. Статья написана для того, чтобы все и всегда проверяли сертификат сервера.

https://habr.com/ru/articles/989476/

#wifi #wpa2enterprise #mitm #peap #mschapv2 #activedirectory #network_policy_server

Ok HOW HARD CAN IT BE? 🤬

Currently trying to allow the #Windows machine I got from work (domain member, very much locked up, no local admin for me) in my private #wifi network (using 802.11x #authentication for #WPA with #freeradius and #PEAP using my own #samba based AD).

I don't strictly *need* it, the machine connects to my open guest wifi (mapped to a VLAN with access *only* to the internet), but it would be really nice being able to also access my local services while working at home.

What I tried:

- Just login (PEAP/MSCHAPv2), obviously. After lots of fiddling and reading logs (freeradius as well as windows events), I found some docs suggesting Windows doesn't support that any more unless you fiddle with something in HKLM, so, no dice, need something else...
- Allow EAP-TLS as well and issue a client certificate for my user, install that on windows. Doesn't work, the machine insists on using the machine cert from the machine store.
- Create a client cert with the UPN of my user in my home network in SAN ... same issue
- Create a client cert with the UPN of my *work* user in SAN ...
- Ok screw that, get freeradius to accept that stupid machine certificate: Allow the internal CA of my workplace and *only* the CN of exactly the machine certificate.

Now, it still won't work and I really don't get it, seeing stuff like:

(13) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(13) eap_tls: (TLS) TLS - send TLS 1.1 Alert, fatal protocol_version
(13) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
(13) eap_tls: ERROR: (TLS) TLS - Server : Error in SSLv3 read client hello B

It makes little sense and all fiddling with TLS options so far didn't make it work. For other clients using PEAP, it just works with both TLS1.2 and TLS1.3. WTF is going on here?