Wireless LAN Security with 802.1x, EAP-TLS, and PEAP - Black Hat

More documents

Recommendations

Info

Windows PEAP authentication First phase �� Supplicant sends machine credentials to authenticator over previously-established TLS channel �� Authenticator checks validity by contacting authentication server (RADIUS) �� Authentication server contacts directory to verify credentials
Windows PEAP authentication First phase �� If valid, RADIUS generates WEP key �� Authenticator delivers key to supplicant and transitions controlled port status to permit supplicant access to LAN (to resources allowed access through machine account only) �� Computer logs on to domain
Page 1 and 2: Wireless LAN Security with 802.1x,
Page 3 and 4: Wired equivalent privacy
Page 5 and 6: Common attacks Bit-flipping (encryp
Page 7 and 8: More IV problems Say an AP constant
Page 9 and 10: Classes of attacks Authentication f
Page 11 and 12: WEP suckage Same key reused over an
Page 13 and 14: 802.1x
Page 15 and 16: Is 802.1x enough? No It does solve:
Page 17 and 18: 802.1x over 802.11 Supplicant Authe
Page 19 and 20: Before authentication Supplicant th
Page 21 and 22: 802.11/802.1x state machine Class 1
Page 23 and 24: Extensible authentication protocol
Page 25 and 26: Authentication methods EAP allows c
Page 27 and 28: Protected EAP (PEAP) Extension to E
Page 29 and 30: Note Do not configure IAS and XP fo
Page 31 and 32: Security requirements, again Mutual
Page 33 and 34: Windows PEAP authentication First p
Page 35: Our requirements so far Mutual devi
Page 39 and 40: Windows PEAP authentication Second
Page 41 and 42: Why use machine accounts? Domain lo
Page 43 and 44: Remaining vulnerabilities
Page 45 and 46: Bit-flipping attacks WEP doesn’t
Page 47 and 48: Solution: keyed IC Change behavior
Page 49 and 50: System requirements Client: Windows
Page 51 and 52: Access policy Policy condition NAS-
Page 53 and 54: Interoperability PEAP standards aut
Page 55 and 56: The future—long term IEEE is work
Page 57: © 2003 Microsoft Corporation. All

Wireless LAN Security with 802.1x, EAP-TLS, and PEAP - Black Hat

Create successful ePaper yourself

Delete template?

Save as template?