Windows 2003, IAS, EAP-PEAP, WPA-Enterprise. (802.1x)

castellansolutions
castellansolutions used Ask the Experts™
on
Scenario: I have a Windows 2003 running IAS, A DLINK DIR-615 WAP and my laptop. I have setup wireless using 802.1x security utilizing EAP-PEAP.

Everything is working correctly and all is well. I have some confusins on the following items:

1. Since i have set AES (CCMP) as the wireless encryption type, (I have set this in the WAP) does the windows server do any of the Cryptohraphy work for AES or is it just the WAP?

2. I understand that the user name and password are the "Effective User Certificate" (as EAP-PEAP does not use an actual machine certificate) however does that mean that a strong user/pass combo = a stronger encryption key for that session?

3. What role does the Server certificate play in authenticating the account? And is the server certificate public key a determinig factor of Keying Strength? Meaning if the server certificate is 4096 bits vs 1024 bits will you get a stronger "Session Key"? again, based on the strength?

4. Does the SSID have anything to to do with the encryption? (like it does) in standard WPA-PSK?

5. I understand that the "Shared Secret" between the radius authenticator and the authentiction server secures traffice between those 2 points but does it have anything to do with the encryption of session keys?


Sorry to hit you with so many but i am almost done with this test and would really appreciate any help you could provide.

Thanks,

Robert
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
1) The WAP handles all encryption of wireless traffic.
2) My understanding of it, PEAP works the same regardless of user/ password strength. Of course, stronger p/w is always good. PEAP just encapsulates it so its not in "plain text."
3) What's the server key for? And yes, 4096 is stonger than 1024 bit keys.
4) No, the SSID has nothing to do with encryption. Disabling SSID broadcast is often considered the more secure practice, but doing so can cause headaches with some wireless clients down the road.
5) Can't help you with RADIUS I'm afraid- I'll look it up and post back with an answer if I find anything.

Author

Commented:
Thanks, for the response.

If you look at WPA cracking programs like Aircrack-ng you will notice that when you go to crack WPA the ssid is required because each password is hashed for the SSID and the password itself for that wap.

That basically means that if your SSID is "linksys" then its far easier to crack using rainbow tables beuase you can pre-compute all the different password hashes and once that is done you can then use those cracking tables to crack any ap that has an ssid of linksys - so change your ssid.

church of wifi created "rainbow tables" using 1000 of the most common ssids to crack wpa faster. (doesnt matter if its aes or tkip).

Robert
TolomirAdministrator
Top Expert 2005

Commented:
Just a remark, hidden ssid is no problem with the proper tools:

http://synjunkie.blogspot.com/2007/12/bypass-hidden-ssid-mac-address-filter.html

Tolomir

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial