Re: OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 20, 2024 at 11:46:58AM +0800, kinbell4 wrote:
> EAP-TLS does not need trusted AP, certificate will prevent fake server,

EAP-TLS does need a trusted AP: If your RADIUS/TLS server
accepts any AP / RADIUS/TLS client with any client certificate
then I could setup my own rogue, MitM AP. Then in the final
RADIUS Accept message the RADIUS server would
send the pairwise-master-key to my rogue AP. And my
AP would now be able to see the decrypted frames
from/to the WiFi client. And would be able to see and potentially
manipulate what the WiFi client tries to access on the internet.

> your design require AP side to have CCMP key, it is still the same problem,
> any internet traffic will also need to be decrypted before sending to WAN.
> 

The original idea was to have no keys on the AP.
The WiFi AP would not encrypt/decrypt the packets and would
just proxy the encrypted CCMP frames to some remote authenticator
which then would decrypt/encrypt instead. For the remote
authenticator to have the keys the AP would not only proxy the
encrypted payload but would also forward the EAPoL frames to the
remote authenticator. The remote authenticator would then run the
RADIUS client instead of the WiFi AP.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux