On Sat, Jun 22, 2024 at 11:51:45PM +0200, Linus Lüssing wrote: > On Thu, Jun 20, 2024 at 11:46:58AM +0800, kinbell4 wrote: > > EAP-TLS does not need trusted AP, certificate will prevent fake server, Or let me give a more concrete attack scenario which I believe a remote authenticator would solve and current WPA Enterprise setups are likely susceptible to (though there you could just do without the L2TP part): Given a facility like a university or hospital using WPA Enterprise. The APs have a RADIUS client with TLS enabled. The WiFi APs in such facilitiies are often visible and relatively easy to access. Maybe at night the attacker gets 5min to temporarilly remove it. Or during day with the right cloths and a ladder (social engineering 101). I can then either through serial or direct flash access install a backdoor on the AP. Or just read the RADIUS/TLS client's certificate or key. The AP is compromised / untrusted now. For the backdoor'd AP: You can now obviously read the unencrypted packets as the WiFi AP will encrypt/decrypt the packets from the WiFi client. And have access to the facilities internal network just like the authorized WiFi client. Similarly you could use the the RADIUS client certificate to make and install your own untrusted/rogue/replacement AP with the same ESSID at the same spot. With the remote authenticator I could instead move it into a locked server room for instance. So that packets would stay encrypted on/over any AP and any cable all the way into the server room. One dedicated place with a lot more physical protection. Then the right cloths and a ladder wouldn't be enough anymore to read the unencrypted frames or to get intranet access. I would need a physical key to access this particular server room. And it would be more easy/cheaper to physically protect this one place compared to dozens of places all around a campus or hospital, for each WiFi AP. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap