PEAP and EAP-TLS on Server 2008 and Cisco WLC

Hello,
very nice blog!
One question.
My clients will receive the following question when connecting :

Enter your username and password
Use my windows user account

Connect using a certificate

Is there a GPO to automate this so this question is skipped?

Thx

Hmm good question, have you checked the advanced properties? there should be an option to remember the PEAP credentials for Windows 7 or 8. Once you are connected:

  1. View connection properties
  2. Open the security Tab
  3. Advanced Settings
  4. Replace credentials
  5. Enter credentials and hit OK.

That should force Windows to remember the credentials instead of asking for it over and over again. If it doesn’t work…maybe there’s a GPO that can do this but I don’t know it the top of my head :slight_smile:

Hi Rene,

Fist thanks so much for this tutorial,
I just start my career as pen-tester (Attacking Wireless devices “BT5/ Kali Linux) So far, this I done !

  1. Bypassed Mac filter
  2. Bypassed SSID not broadcasting
  3. Crack WEP passwords
  4. WPA/WPA2 - Shared
    Now I plan to do attacks for WPA2- Enterprise 802.1x EPA and bypasss IDS/IPS. I am doing pertest to a client that it is implemented Radius serve /CA.
    I know there are two flavor on AAA server
    * Radius - UDP/ Open
    * Tacacs+ + TCP/ Cisco
    My concern is first to attack Radius Server and recommend Tascacs+ as more secure for several attacks ( MIT, Spoof mac etc).

My questions are :
Do you ever heard or is possible bypassed Radius server?
Based on your experience what are advantage/ disadvantage for Radius VS Tascacs+ ?

Thank Rene you tutorial is so nice :slight_smile:

Hi guys im facing this error. Can you help me?
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Hi Erick,

It sounds like your client is trying to authenticate with an EAP type that your radius server does not accept. For example, when your client is configured for PEAP and your radius server only accepts EAP-TLS then you’ll get this error as well.

Rene

Hi Francisco,

You are welcome. Wireless pentesting is pretty fun and a good method to learn more about wireless. There are a couple of RADIUS related attacks that you can do from the wireless side.

The first one you might want to try is LEAP as it is vulnerable to offline dictionary / brute-force techniques. We don’t use LEAP anymore in the field…

PEAP is also fun, the wireless client only has to authenticate the radius server so it’s possible to spoof it. When the client sees the certificate of the fake radius server they have to decide if they want to accept the certificate or not…if they do, you get some authentication information you can use for offline attacks.

Bypassing the radius server from the wireless side isn’t possible (as far as I know)…maybe you can mess with it from the LAN side with a mitm attack but I haven’t tried that before. Radius doesn’t encrypt everything so on the LAN you might be able to sniff usernames and some other information.

Tacacs+ encrypts everything so it is more secure, I think that radius however is still more popular…I see more radius servers than tacacs in the field.

You might enjoy this book:

It covers most of the wireless attacks using backtrack or kali.

Rene

Hi All
Thanks for the well presented instruction. i Have my controller configured and the clients are authenticating fine to the wireless network. My problem lies with my Management users. I have run a debug on the WLC and found the AD user does authenticate successfully but i still cant login to the controller. i just get the username and password presented again. any suggestions?

Thanks. It really helped.

Hmm good question, normally authentication for admins is easier then wireless users. Anything in the log of the WLC?

Hello Rene,
Thanks for the well presented instruction.
Can you please explain if we can use PEAP And EAP-TLS for the same wireless device (client)?

Hello Rene,

I have a question and I appreciate your help,

as per my understanding, when I am using PEAP authentication.
PCs within the Domain will only have to lookup the wireless SSIDs -> connect to the specified SSID -> the certificate should have been pushed by the AD earlier ->and then will be prompted for username/password

PCs outside the domain, OPTION1 import the certificate manually and then connect the same way as domain PCs. what other options do they have?

what about android and iphone devices?

Great post René!

Isn’t there a way to make this work WITHOUT deploying Active Directory PKI but instead buy a certificate from Go Daddy and likes and import it onto the NPS server?

Two birds with one stone; validation will work AND you don’t have to deploy Active Directory PKI! Where does one buy the authentication purpose cert – one issued as Authentication purpose cert 1.3.6.1.5.5.7.3.2

Hi Bubba,

Good question, you should be able to get a server certificate from a CA that you can use for PEAP. You can’t do it with godaddy?

If you want to run EAP-TLS…not sure if you can generate client certificates somewhere…

Rene

Hi Efrangi,

You got it right. Android and iPhone/iPads need a certificate installed manually as well. I created two tutorials for this:

http://networklessons.com/wireless/eap-tls-certificates-for-wireless-on-android/

http://networklessons.com/wireless/eap-tls-with-server-2008-scep-for-apple-devices/

That should be helpful :slight_smile:

Rene

Hi Ruslan,

Yes you can, you can allow both PEAP and EAP-TLS. There’s no point doing it though, if you allow PEAP then why do you want EAP-TLS? :slight_smile: Better to enforce the most secure method (EAP-TLS).

Rene

Hi Rene, how can I block devices like smartphones and other machine that are not part of Active Directory?

Congratulations for your guide :slight_smile:

19 posts were merged into an existing topic: PEAP and EAP-TLS on Server 2008 and Cisco WLC

Hi Fábio,

Someone that isn’t in Active Directory won’t be able to access the wireless network but there are multiple solutions for filtering.

A good solution would be something like Cisco ISE that lets you configure policies for different devices like smartphones, iphones, ipads, tablets, etc.

The “poor man’s” solution would be maybe MAC address OUI filtering, restricting authenticating multiple times and preventing users from exporting their client certificates.

Many different solutions :slight_smile:

Rene

There are a couple of methods to do this. If you control the end devices then you can prevent exporting client certificates when you use EAP-TLS. When using PEAP you might be able to prevent multiple authentications for one username, this will ensure someone can only use their laptop and not also their smartphone using the same credentials.

I understand. But it’s a certificate limit? If I don’t use certificate? I can limit access for laptops only?

Thanks for advance :slight_smile:

Hi Fábio,

If those laptops are joined to the domain then you can add an additional check in NPS that verifies if the laptop has joined the domain or not. If not, the user won’t be allowed to connect.

This prevents non-domain devices to be blocked :slight_smile:

Rene