WPA2-Enterprise (802.1X) - Tala WTE Field Manual

Introduced2004

EncryptionAES-CCMP

Key mgmt802.1X/EAP

PMFOptional

PrevalenceCorporate

How it works

WPA2-Enterprise replaces the single shared passphrase of WPA2-Personal with per-user authentication. Instead of one PSK, every client proves a distinct identity, and a back-end RADIUS server decides whether to let them on. The access point becomes a pass-through: it speaks 802.1X to the client and RADIUS (RFC 2865) to the authentication server, relaying an EAP (RFC 3748) conversation between the two until RADIUS returns Access-Accept or Access-Reject. Only on accept does the AP derive the per-session keys and run the same four-way handshake WPA2 always uses.

The whole security model lives inside the EAP method. With EAP-TLS (RFC 5216) both sides present X.509 certificates, so authentication is mutual and there is no password to steal. With PEAP and EAP-TTLS the server presents a certificate and the client tunnels a password inside that TLS session, almost always MSCHAPv2. That tunnel only protects the password if the client first verifies the server's certificate. If the client does not check the certificate, an attacker stands up their own RADIUS server, the client tunnels its credentials to the attacker, and the entire scheme collapses. Server-certificate validation on the client is not one control among many; it is the only thing standing between a corporate network and a password dump.

Configuring it in Tala WTE

The two protocol-specific fields are EAP Identity and EAP Password, which appear only for the Enterprise protocols. They must be a real user in the LDAP Directory, not just on the form, because test clients and deployed pack members present them for 802.1X against RADIUS / 802.1X.

Enterprise also needs a back end that personal protocols do not, so starting the network opens the Enterprise Network Preflight dialog. It checks for a CA, a server certificate, an LDAP directory with users, and a running FreeRADIUS. If everything is present the button reads Start Network; if anything is missing it reads Auto-provision & Start, and one click bootstraps the whole stack (Certificates, RADIUS config, directory users) before bringing the AP up.

For the full New-Network walkthrough and the preflight dialog, see Networks.

Attacks

Rogue RADIUS / evil twin

Stand up a look-alike SSID backed by your own RADIUS server with a self-signed certificate. Clients that do not validate the server cert complete the PEAP tunnel against you and hand over their MSCHAPv2 exchange.

hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# or:
eaphammer --cert-wizard
eaphammer -i wlan0 --essid CorpWiFi --creds

Judgment: this is the bread-and-butter enterprise attack, and it succeeds entirely on the client's failure to check the certificate.

MSCHAPv2 capture and crack

A captured PEAP-MSCHAPv2 challenge/response reduces to brute force. The challenge-response is broken (2012): it collapses to three 56-bit DES operations keyed by the NT hash, so the password (or the hash itself) falls to a wordlist or, in the worst case, a guaranteed DES keyspace search.

asleap -C <challenge> -R <response> -W wordlist.txt
hashcat -m 5500 captured.hccap wordlist.txt

Judgment: any intercepted PEAP-MSCHAPv2 handshake should be treated as a plaintext password with a short delay.

GTC downgrade

Inside the PEAP tunnel the rogue AP requests EAP-GTC instead of MSCHAPv2. A client configured to allow GTC will return the password in cleartext, no cracking required.

eaphammer -i wlan0 --essid CorpWiFi --creds --negotiate gtc-downgrade

Judgment: turns a crack-it-later capture into an instant cleartext password whenever the client permits GTC.

Missing CRL / OCSP

EAP-TLS is only as strong as its revocation checking. If the server never consults a CRL or OCSP responder, a revoked or stolen client certificate still authenticates.

# verify whether the server actually rejects a revoked cert
eapol_test -c eaptls.conf -a 127.0.0.1 -s testing123

Judgment: a leaked certificate is permanent network access until revocation is genuinely enforced.

Blast-RADIUS (CVE-2024-3596)

RADIUS Access-Request packets over UDP that lack a Message-Authenticator attribute can be forged via an MD5 chosen-prefix collision, letting an on-path attacker rewrite an Access-Reject into an Access-Accept.

# defensive check: confirm the server requires Message-Authenticator
# FreeRADIUS: require_message_authenticator = yes (raddb/clients.conf)

Judgment: a protocol-level break of the AP-to-RADIUS link itself; only Message-Authenticator enforcement (or RADIUS over TLS) closes it.

What you find in the field

Real corporate WLANs lean on PEAP-MSCHAPv2 far more than EAP-TLS, because passwords are easier to deploy than a client PKI. That makes the rogue-RADIUS path the common reality rather than a textbook edge case. The recurring failure is client provisioning: a profile pushed without a pinned CA, or worse, end users who tapped through a certificate-trust prompt once and now associate to anything advertising the right SSID. You also find legacy fall-throughs, networks that still permit GTC or older inner methods for one stubborn device, which downgrade everyone. On the wire, look for the AP-to-RADIUS leg riding plain UDP/1812 with no Message-Authenticator, the precondition for Blast-RADIUS. In Tala WTE this is the lesson the WPA2-Enterprise (802.1X) profile teaches: it stands up the FreeRADIUS and OpenLDAP back end so the full capture-and-crack loop against a believable corporate SSID happens on your own range, legally.

Defending against it

Prefer EAP-TLS with client certificates; it removes the crackable password entirely and makes rogue RADIUS pointless. Where PEAP or TTLS must stay, the non-negotiable control is server-certificate validation on every client: pin the exact CA and the expected server name through managed configuration profiles so the supplicant refuses any unknown certificate, and never rely on users to make that decision. Disable EAP-GTC and any weaker inner methods so a tunnel cannot be downgraded. Enforce certificate revocation with a live CRL or OCSP so a stolen credential dies on revocation. On the RADIUS link, require the Message-Authenticator attribute on every packet (or move to RADIUS over TLS) to defeat Blast-RADIUS, and keep the shared secret long and unique. Finally, deploy Protected Management Frames; the Tala WTE enterprise config emits ieee80211w so PMF can be set per network, blunting the deauthentication that drives clients toward an evil twin.

References

IEEE 802.11-2020 - base WLAN standard, including 802.1X port-based access control and RSN.
IEEE 802.1X-2020 - port-based network access control (the authenticator role).
RFC 3748 - Extensible Authentication Protocol (EAP).
RFC 2865 - Remote Authentication Dial In User Service (RADIUS).
RFC 5216 - The EAP-TLS Authentication Protocol.
CVE-2024-3596 - Blast-RADIUS: RADIUS Access-Request forgery via MD5 collision.

Protocol Guide

Enterprise

Provides

Per-user authentication with no shared passphrase, credential isolation between users, and mutual certificate auth under EAP-TLS.

Known Vulnerability Classes

Rogue RADIUS / Evil Twin

A self-signed cert on a rogue AP collects credentials from clients that do not validate the server certificate.

MSCHAPv2 is Broken (2012)

A captured PEAP-MSCHAPv2 exchange reduces to three 56-bit DES brute forces and is fully crackable.

GTC Downgrade

Inside the PEAP tunnel an attacker AP requests EAP-GTC to obtain credentials in cleartext.

Missing CRL / OCSP

Revoked client certificates may still authenticate when revocation checking is not enforced.

Blast-RADIUS

RADIUS over UDP without Message-Authenticator is forgeable via an MD5 chosen-prefix collision, turning a reject into an accept.

CVE-2024-3596

External Testing Tools

eaphammerhostapd-wpeasleaphashcat -m 5500eapol_test

Recommended Use Cases

Corporate-network simulation, PEAP credential-harvest demos, EAP-TLS mutual-auth testing, and directory management training.