RADIUS guy here. I've worked with 802.1X and PEAP for as long as it's existed.
This isn't news.
If you disable certificate checking, then the authentication security of TLS goes away. Your traffic is still encrypted, but you have no idea who you're talking to.
This means that the attacker gets access to the MS-CHAPv2 data. Which we know can be attacked off-line via dictionary attacks.
Always enable certificate checking for 802.1X. If you don't, you're handing your authentication credentials to anyone.
And always know which certificate you're checking. Some deployments use certificates signed by a known root, and for "ease of use", allow any certificate signed by that root.
Well... the root CAs sign thousands of certificates a day. You've just configured your system to hand authentication credentials to anyone.
2 comments
[ 3.5 ms ] story [ 16.5 ms ] threadThis isn't news.
If you disable certificate checking, then the authentication security of TLS goes away. Your traffic is still encrypted, but you have no idea who you're talking to.
This means that the attacker gets access to the MS-CHAPv2 data. Which we know can be attacked off-line via dictionary attacks.
Always enable certificate checking for 802.1X. If you don't, you're handing your authentication credentials to anyone.
And always know which certificate you're checking. Some deployments use certificates signed by a known root, and for "ease of use", allow any certificate signed by that root.
Well... the root CAs sign thousands of certificates a day. You've just configured your system to hand authentication credentials to anyone.
Don't do that.