> > On 7/12/2017 11:08 PM, joel jaeggli wrote: >> wpa2 enterprise provides forward security, merely using the same >> username and password doesn't provide you with the ability to snoop >> other traffic. > > Oh. So a bad actor having the shared key and being able to wiretap > the key exchange sequences at the startup of other users doesn't > represent a threat? (I'd heard otherwise, but admit to not having > researched this carefully.) There's no pre-shared key, there's a cert from a legitimate-looking-ca that you have to accept on faith the first time. and then the username and password (ietf / ietf ) which you client caches presumably forever. The handshake is eap peap or eap ttls so apart from the gratuitious TIFU issue for most people, the mitm is going to need the cert's private key, or get you to accept and enroll another cert. you can examine the cert or grab a profile including it here: https://802.1x-config.org/?idp=137&profile=101 > And only WPA2 is supported on the IETF net(s)? we do 802.1x wpa2 ent with peap or ttls methods. > > > > d/ >
Attachment:
signature.asc
Description: OpenPGP digital signature