802.1x
Protocols security (highest to lowest)β
| Protocol | Certificate Required | Mutual Authentication |
|---|---|---|
| EAP-TLS | Server and Client | Yes |
| PEAP | Server | Yes |
| EAP-TTLS | Server | Yes |
| LEAP | No | Yes |
| EAP-MD5 | No | No |
Server certificateβ
For Windows, the challenge response can be done using a domain user account or a computer account depending on the authentication mode. By default both are enabled.
In the default configuration of W10 the PEAP properties have the setting
Tell user if the serverβs identity canβt be verified.
Meaning that the user will be prompted to verify the certificate.
However, if Donβt ask user to authorize new servers or trusted CAs is setup it is not possible to retrieve the challenge response.
It is still possible to avoid the certificate prompt by using a Let's Encrypt certificate. It uses a CA trusted by Microsoft and it is the default configuration on Windows 10.
However, trusted CA list may be changed on the Windows host.
Client certificateβ
If the server certificate can be impersonnated, and there is a client certificate, it is possible to patch hostapd in order to not verify the validity of the client certificate.
Password Sprayβ
eaphammer --eap-spray -I <wlan0> -e <SSID> --user-list <userlist.txt> --password <password>