Thanks for your fast answer!
So it is normal that during the EAP Handshake an unencrypted SIP Packet
(this is a Softphone connecting to a PBX) originating from the PBX
targeted to the wifi device that is currently in Authentication shows up
unencrypted on air, revealing the IP Address of the PBX, the Username of
the Device aswell as other details that are part of this packet? I don't
think so...
I understand that EAP is mostly unencrypted (thats "management traffic"
in my opinion), however data traffic should *never* be unencrypted and
there should not be any data traffic until the Handshake is finished.
Am 06.08.2019 um 16:45 schrieb Alan DeKok:
On Aug 6, 2019, at 10:40 AM, Flole <flole@xxxxxxxx> wrote:
I have a WPA2 Enterprise Network configured running hostapd 2.5 and I had a device do the EAP Handshake and in the middle of the Handshake there were 2 packets targeted to that device sent to the Access Point to be forwarded to the client (meaning its target IP/Mac was set to the clients IP/Mac). The packets were forwarded unencrypted on-air and it is visible in a wifi capture in clear text, even though this is a WPA2 Enterprise encrypted network. I think under no circumstances should any data packet be sent unencrypted, and that sending of the packets should either be delayed or the packets should be discarded at that point because the client is not currently fully connected.
Is this known?
That is how EAP works.
It is impossible to change it without changing every single WiFi device on the planet.
The common EAP methods *do* encrypt the sensitive user data. e.g. names, passwords, etc. For more information, please see the EAP specifications.
Alan DeKok.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
