Greetings,
I have a Cisco/Microsoft Wireless security question that's pretty in-depth. I'm hoping there's someone out there who's been down this road. Specifically I'm curious how strong this setup is in deflecting a targeted evil-twin man-in-the-middle access point attack against our employees (i.e. bad guy in airport or starbucks setting up an access point trying to get an employee machine to associate to it and get the machine to volunteer the active directory username/password).
Our networking vendor is spec'ing a wireless system for a large facility, and intends to use Cisco Aironet infrastructure, and leveraging PEAP authentication against our Microsoft Active directory suing username/passwords. All our client machines are Windows XP systems.
Their technical guy showed in a demo that Windows would be configured for WPA/TKIP using 802.1x authentication using PEAP, and EAP-MSCHAP v2 as the authentication mechanism which'll go against our active directory infrastructure.
Client systems (for our wireless workstations) will be set up to validate the access point's certificate which they intend to use an [name of a listed certificate authority] authority certificate for this. Perhaps this picture helps, where only one trusted root CA would be checked in our configuration:
In this setup, would it be possible for an attacker to set up an evil twin access point if they take the time to purchase their own certificate from that same certificate authority?
My understanding may be flawed, but I don't see that the client checks anything except that the access point has a matching BSSID and posesses a valid certificate from that certificate authority. I don't see where it does any checking to make sure that it's actually our company's individual certificate.
Can anyone confirm or deny?
I guess I'd hate for someone with a laptop sitting at an airport being able to coax one of our employees' machines into joining his network automatically if he just knew out BSSID and had a certificate from the same CA. It may be an acceptable level of risk to balance out the management headache or client side certificates, but I just want to be sure we know what the exposure is so we can do a proper risk assessment.
Best Regards,