Enforcing cryptobinding

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Enforcing cryptobinding

Nik Mitev-2
Hi,

I was looking at this article about the sycophant attack https://sensep
ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the
success of it reportedly hangs on whether cryptobinding is enforced or
not.

On NPS it is not enforced by default, but there is a "Disconnect
clients without cryptobinding" setting that can be enabled.

Can anyone confirm what is the FR default on cryptobinding and whether
it can be changed in configuration? If it is not enabled by default,
can it be enabled? If it is enabled by default, can it be disabled -
inadvertently of on purpose.

Regards,
Nik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Enforcing cryptobinding

Alan DeKok-2
On Nov 22, 2019, at 12:14 PM, Nik Mitev <[hidden email]> wrote:

>
> I was looking at this article about the sycophant attack https://sensep
> ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the
> success of it reportedly hangs on whether cryptobinding is enforced or
> not.
>
> On NPS it is not enforced by default, but there is a "Disconnect
> clients without cryptobinding" setting that can be enabled.
>
> Can anyone confirm what is the FR default on cryptobinding and whether
> it can be changed in configuration? If it is not enabled by default,
> can it be enabled? If it is enabled by default, can it be disabled -
> inadvertently of on purpose.

  There is no standard for cryptographic binding for PEAP.  If you can find one, we're happy to implement it.

  There is a standard for TTLS, and FreeRADIUS enforces it by default. See:

https://tools.ietf.org/html/rfc5281#section-11.1

 There is no way to disable it for TTLS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html