Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Wireless security: WLAN certificates and EAP authentication

Enterprise Wi-Fi networks typically use WPA2-Enterprise or WPA3-Enterprise with a RADIUS server for user authentication. This architecture is more secure than WPA2-PSK (shared key) but has its own risks if not properly configured. The main vulnerability comes from clients not validating the RADIUS server certificate.

Rogue access point attack

A rogue access point (rogue AP) imitates a legitimate Wi-Fi network to intercept connections. The attack proceeds as follows: the attacker broadcasts an identical SSID to the enterprise network with a stronger signal, the client connects to the rogue AP because the signal is stronger, the attacker presents their own RADIUS certificate (self-signed or with a deceptive domain name), if the client isn't configured to validate the RADIUS certificate, it accepts the connection and sends its credentials.

EAP methods and their security

The EAP (Extensible Authentication Protocol) method used in WPA-Enterprise determines authentication security. PEAP (Protected EAP): common method, creates a TLS tunnel then authenticates via MSCHAPv2. Vulnerable to rogue APs if server certificate validation isn't configured. EAP-TTLS: similar to PEAP, TLS tunnel with multiple inner methods. EAP-TLS: mutual certificate authentication (client and server). The most secure method but requires a PKI to distribute client certificates.

Correct PEAP configuration (Windows: network managed via GPO)

# Via GPO : Configuration ordinateur > Windows Settings > Security Settings
# > Wireless Network (IEEE 802.11) Policies

# Points critiques à configurer :
# 1. Valider le certificat du serveur : OUI
# 2. CA de confiance : sélectionner la CA qui a émis le certificat RADIUS
# 3. Vérifier le nom du serveur : OUI
#    Nom du serveur RADIUS : radius.example.com
# 4. Ne pas demander à l'utilisateur de valider de nouveaux serveurs : OUI

# Si les clients peuvent "faire confiance" à n'importe quel certificat présenté,
# l'attaque du rogue AP est possible même avec PEAP.

EAP-TLS: mutual certificate authentication

EAP-TLS is the most robust method as it mutually authenticates the client and server by certificate. The client presents its certificate to the RADIUS server (proving its identity), and the server presents its certificate to the client (proving it's the right network). An attacker who sets up a rogue AP can't present a valid client certificate issued by the enterprise CA. Deployment requires an internal PKI to issue and distribute client certificates (via SCEP/NDES or an MDM solution).

Separate guest network

The guest Wi-Fi network must never share a VLAN with the enterprise network. A guest (client, contractor, visitor) who connects to the Wi-Fi must not have access to internal resources. The guest network should only have internet access, with client isolation enabled. Use a captive portal to time-limit access if necessary.

A question after reading?

Is your enterprise Wi-Fi network properly configured? Send a message.

Or book a 30-minute scoping call directly

Book a call