On 7/12/2017 11:08 PM, joel jaeggli wrote:
wpa2 enterprise provides forward security, merely using the same
username and password doesn't provide you with the ability to snoop
Oh. So a bad actor having the shared key and being able to wiretap
the key exchange sequences at the startup of other users doesn't
represent a threat? (I'd heard otherwise, but admit to not having
researched this carefully.)
There's no pre-shared key, there's a cert from a legitimate-looking-ca
that you have to accept on faith the first time. and then the username
and password (ietf / ietf ) which you client caches presumably forever.
The handshake is eap peap or eap ttls so apart from the gratuitious TIFU
issue for most people, the mitm is going to need the cert's private key,
or get you to accept and enroll another cert.
you can examine the cert or grab a profile including it here:
And only WPA2 is supported on the IETF net(s)?
we do 802.1x wpa2 ent with peap or ttls methods.
Description: OpenPGP digital signature