ietf
[Top] [All Lists]

Re: meeting ietf-legacy ssid

2017-07-13 19:08:30


On 7/12/2017 11:08 PM, joel jaeggli wrote:
wpa2 enterprise provides forward security, merely using the same
username and password doesn't provide you with the ability to snoop
other traffic.

Oh.  So a bad actor having the shared key and being able to wiretap
the key exchange sequences at the startup of other users doesn't
represent a threat?  (I'd heard otherwise, but admit to not having
researched this carefully.)
There's no pre-shared key, there's a cert from a legitimate-looking-ca
that you have to accept on faith the first time. and then the username
and password (ietf / ietf ) which you client caches presumably forever.
The handshake is eap peap or eap ttls so apart from the gratuitious TIFU
issue for most people, the mitm is going to need the cert's private key,
or get you to accept and enroll another cert.

you can examine the cert or grab a profile including it here:

https://802.1x-config.org/?idp=137&profile=101
And only WPA2 is supported on the IETF net(s)?
we do 802.1x wpa2 ent with peap or ttls methods.



d/



Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>