I found myself pondering the security of our wireless network as of lately. We are running WPA2-Enterprise on our access points which use Windows IAS to authorize users connecting to our network. After some reading it seems that the best way to penetrate these networks is to get wireless devices to connect to a fake access point and radius server so you can capture credentials used to log onto the network.
I also found that freeradius can be modified to log these credentials. You can find the modification here . It has to be patched into freeradius 2.1.7 or 2.02. I chose 2.1.7 as it was newer. After my WPE version of radius was up and running it was time to try fool some devices into giving out important credentials to a rogue radius server.

First off I started with my iPhone 4. It is running version 4.3.3 of the IOS software. I connected it to a WPA2-Enterprise network, accepted the certificate for our real radius server. I then shut wireless off on the phone. I then changed the radius server on the access point to my WPE version of freeradius (Which was using a certificate NOT signed by an authorized authority). I then turned the wireless back on on my phone. The phone did connect to the network, but it appears that after it saw the wrong certificate it disconnected from the network without sending a password. If I clicked on the network, a new prompt to accept the certificate from my WPE freeradius now appeared. If I accepted at this point, the username and password were captured.

Next we tried a phone running Android 2.3 . We connected it to our network with our normal radius server, but we never specified a “Certificate Authority” when it was connected (There wasn’t anything in this option). Next we shut the wireless off on the phone, then switch the radius server on the access point to the WPE freeradius server. After turnning the wireless back on on the phone, it immediately attempted to reconnect AND sent both username and password.

While this is bad, we found a way to prevent the Android phone from connecting to the wrong radius server. We exported the certificate authority certificate that signed the certificate for our radius server. We copied that certificate to the Android phone and installed it. When we connected it to the WPA2-Enterprise network in the “Certificate Authority” box we could now select our CA. We selected our CA. After the phone connected to our network with the proper radius server, we shut the wireless off on the phone, switched the access point to the WPE freeradius server, then turned the wireless back on on the phone. The phone did not reconnect to the network. Trying to select the network and forcing the phone to reconnect failed as well. The phone would not connect to the network period.

I’ve not had a chance to test Windows XP and Windows 7 against these types of attacks, however I found that someone else had already done this research.

Using WPA-PSK or WPA2-PSK in a large office can become a tedious task. Sharing the “PreShared Key” with everyone can become a problem. How do you deny access when someone is fired? What if someone’s laptop is stolen? This is where WPA-Enterprise and WPA2-Enterprise shine. I’ll refer to WPA-Enterprise and WPA2-Enterprise collectively as WPA(2)-Enterprise. They allow a more centralized administration of wireless. It is easy to deny access to a user later after they’ve been using wireless.

When an access point is using WPA(2)-Enterprise it will communicate with a server to authenticate users based on usernames and passwords (Sometimes you may use other things such as smartcards to authenticate). The software that authenticates the users is Radius. Microsoft has its own version of this software, which it calls IAS (Internet Authentication Server). If you already have an Active Directory domain, I recommend strongly to use this (Though I recommend setting up a CA for your domain before you use IAS). If you are running Linux, then I’d suggest taking a look at freeradius.

My situation is a bit unique. We have a remote office which has a small NAS which runs Linux (We couldn’t justify a full blown server, and I didn’t trust the people to hook up a server either). They’ve had a lot of people in and out of their office lately, and I’d like to prevent former employees from accessing their wireless —- Especially because they have unfirewalled access to our servers here. Since their NAS unit runs Linux, I can and have installed freeradius. freeradius just works out of the box. It requires little modification to begin authenticating users. In fact, according to freeradius documentation, all you need to do is install it (See the package manager for your distribution of Linux) and add ‘ testing Cleartext-Password := “password” ‘ to the “users” file, add your Wireless Access Point (WAP) to the “clients.conf” file, and then the user can use several forms of authentication to access wireless.

This almost satisfied my needs. The only thing that was missing is a unified username/password list. Adding each and every user to the users file wasn’t acceptable to me. So I did some digging around and found that freeradius can use the samba password list to authenticate Windows XP/Vista/7 clients and iPhone clients. Note this is the samba password list, not the system password list. This does take a bit of modification of the default config. First, I edited the “clients.conf” file. I added the following to the end so that my access point would speak to the freeradius server:

client 192.168.5.10/32{
secret = supersecret
shortname = “WAP”
nastype = other
}

The IP address to my WAP is 192.168.5.10. The “supersecret” is a shared key that is entered in the WPA(2)-Enterprise setup on the wireless access point. Next edit the eap.conf. Find the line the first line that says “default_eap_type”. It should be under the “eap” section. Make sure the default eap type is peap. Now edit the “radiusd.conf”. Find the following lines and uncomment them:

passwd etc_smbpasswd {
filename = /etc/smbpasswd
format = “*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::”
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

Next under the “sites-enabled” folder in your freeradius config directory, you’ll find a file named “default” and another named “inner-tunnel”. Edit them and find the line which says “etc_smbpasswd” and uncomment it. Now change the defaults for the certificate that freeradius creates. Under the freeradius directory there should be another folder called “certs”. Inside of certs edit the ca.cnf and change the lines that begin with:

countryName             =
stateOrProvinceName     =
localityName            =
organizationName        =
emailAddress            =
commonName              =

You may also want to change the line that begins with: default_days            =
It is probably a good idea to change the lines that begin with: input_password and the lines that begin with output_password. If you do so make sure you change the key in the eap.conf. It is an option under the tls section named “private_key_password”. Also go through and change the defaults in the “server.cnf”.

Lastly, make sure that freeradius has the proper permissions to open the /etc/smbpasswd file. Start radius and you should be able to connect Windows computers, after you fix the certificate for them. There are two ways to fix that.

The first way is to not have the Windows system not validate the CA. To do this, edit the wireless connection settings (You may need to add the wireless network before you can change the settings), the settings button next to where you select PEAP (Windows 7), uncheck the box that says “Validate Server Certificate”.

The second way is copy the CA certificate off and import it into the systems that will be using wireless. You can find the certificate in the certs folder for freeradius. It should be named “ca.der”. Copy it to your system, rename it to ca.cer, double click to import it. When you import it, make sure that you import it as a trusted root CA. Now edit the properties of the wireless connection (You may need to add the wireless network before you can change settings). The settings button next to where you select PEAP (In Windows 7), scroll down the list of “Trusted Root Certificate Authorities” until you find the one for the CA you created. Check the box for it.