Fist thanks so much for this tutorial,
I just start my career as pen-tester (Attacking Wireless devices “BT5/ Kali Linux) So far, this I done !
Bypassed Mac filter
Bypassed SSID not broadcasting
Crack WEP passwords
WPA/WPA2 - Shared
Now I plan to do attacks for WPA2- Enterprise 802.1x EPA and bypasss IDS/IPS. I am doing pertest to a client that it is implemented Radius serve /CA.
I know there are two flavor on AAA server
* Radius - UDP/ Open
* Tacacs+ + TCP/ Cisco
My concern is first to attack Radius Server and recommend Tascacs+ as more secure for several attacks ( MIT, Spoof mac etc).
My questions are :
Do you ever heard or is possible bypassed Radius server?
Based on your experience what are advantage/ disadvantage for Radius VS Tascacs+ ?
It sounds like your client is trying to authenticate with an EAP type that your radius server does not accept. For example, when your client is configured for PEAP and your radius server only accepts EAP-TLS then you’ll get this error as well.
You are welcome. Wireless pentesting is pretty fun and a good method to learn more about wireless. There are a couple of RADIUS related attacks that you can do from the wireless side.
The first one you might want to try is LEAP as it is vulnerable to offline dictionary / brute-force techniques. We don’t use LEAP anymore in the field…
PEAP is also fun, the wireless client only has to authenticate the radius server so it’s possible to spoof it. When the client sees the certificate of the fake radius server they have to decide if they want to accept the certificate or not…if they do, you get some authentication information you can use for offline attacks.
Bypassing the radius server from the wireless side isn’t possible (as far as I know)…maybe you can mess with it from the LAN side with a mitm attack but I haven’t tried that before. Radius doesn’t encrypt everything so on the LAN you might be able to sniff usernames and some other information.
Tacacs+ encrypts everything so it is more secure, I think that radius however is still more popular…I see more radius servers than tacacs in the field.
You might enjoy this book:
It covers most of the wireless attacks using backtrack or kali.
Thanks for the well presented instruction. i Have my controller configured and the clients are authenticating fine to the wireless network. My problem lies with my Management users. I have run a debug on the WLC and found the AD user does authenticate successfully but i still cant login to the controller. i just get the username and password presented again. any suggestions?
as per my understanding, when I am using PEAP authentication.
PCs within the Domain will only have to lookup the wireless SSIDs -> connect to the specified SSID -> the certificate should have been pushed by the AD earlier ->and then will be prompted for username/password
PCs outside the domain, OPTION1 import the certificate manually and then connect the same way as domain PCs. what other options do they have?
Isn’t there a way to make this work WITHOUT deploying Active Directory PKI but instead buy a certificate from Go Daddy and likes and import it onto the NPS server?
Two birds with one stone; validation will work AND you don’t have to deploy Active Directory PKI! Where does one buy the authentication purpose cert – one issued as Authentication purpose cert 22.214.171.124.126.96.36.199.2
Someone that isn’t in Active Directory won’t be able to access the wireless network but there are multiple solutions for filtering.
A good solution would be something like Cisco ISE that lets you configure policies for different devices like smartphones, iphones, ipads, tablets, etc.
The “poor man’s” solution would be maybe MAC address OUI filtering, restricting authenticating multiple times and preventing users from exporting their client certificates.
Many different solutions
There are a couple of methods to do this. If you control the end devices then you can prevent exporting client certificates when you use EAP-TLS. When using PEAP you might be able to prevent multiple authentications for one username, this will ensure someone can only use their laptop and not also their smartphone using the same credentials.