Despite the title of this blog, this is a not a “beat-up” on Aruba, and the questions I ask in this blog I would encourage you to ask of any Vendor’s onboarding solution, I pick Aruba as an example only.
I would like to start with a given: SSL Man-In-The-Middle Attacks via open public wireless networks are very easy to carry out with tools that are freely available on the internet. If this is news to you then see the link below. I will not be discussing the details of this attack in this blog.
http://www.youtube.com/watch?v=iDs1EAdY65g
Lets’ begin with the problems onboarding strives to fix: How do my employees connect to the corporate secure network on their personal devices, without occurring a significant administration and helpdesk overhead. 802.1x with EAP methods such TLS and PEAP have allowed corporately owned devices to connect securely to the network for a number of years. These methods bring with them a number of challenges such complex client configurations and the provisioning of digital certificates to the client devices. For corporate owned and managed devices these challenges can be overcome though a variety of methods, which lock down the wireless setting on the clients device with configuration changes and new certificates being pushed out though AD group policy or via an MDM solution.
When it comes to BYOD, getting certificates and the correct 802.1x configuration onto employee owned devices is a challenge that onboarding seeks to address through an automatic configuration process, without the involvement of the IT team.
Aruba’s ClearPass supports two onboarding methods: using two SSIDs or using a single SSID. I will take these two methods in turn.
Two SSIDS
An open SSID is used as a provisioning SSID, for initial connections. Employee’s would initially connect to this SSID and be redirected to a web portal where they would enter their AD credentials. Once authenticated the users will be prompted to download a small utility which will install certificates and configure the employee’s device to connect to a second secure SSID, on Apple ISO devices this process can be done over air without the installation of the configuration utility. Once configured the employees will connect to the secure SSID and be able to access the required network resources.
My concern with this method is: what is protecting the user’s AD credentials which are exchanged over the open SSID? The answer is that if the web portal is using HTTPS then it is SSL. As has already been stated at the beginning of the article, it is easy to perform an SSL Man-in-the-middle attack on an open SSID, by impersonating the provisioning SSID and hi-jacking authorised users. This attack will expose the users AD credentials to the attacker.
One SSID
Aruba also provides an alternative method where the same secure SSID is used for provisioning and access. With this method users can connect to the SSID using WPA2 802.1x/PEAP authentication using their AD credentials, they will then have their device provisioned for 802.1x/TLS connection to the same SSID. After provisioning they will connect using TLS certificate authentication. Although this option protects against the SSL Man-in-the-middle attacks highlighted above, it seems to nullify the benefits of using onboarding in the first place. When using PEAP you still need to provision the server-side certificate to the users, although this could be dealt with through the purchased of a certificate from a public certificate authority. Secondly you need the user to successfully configure their device for PEAP, ensuring they validate the service-side certificate, and not exposing them to a layer 2 man-in-the-middle attack.
Closing Remarks
I hope this article will encourage people to think about and question the systems they implement and to that end I close with the following questions and comments:
What about using WPA2-PSK for BYOD? If PSK is compromised an attacker could get access to your wireless network- Is this better or worse then your AD credentials being compromised? Once a PSK is compromised user traffic can be decrypted in real time potentially providing an attacker access to user’s AD credentials. Could using a PSK for the provisioning SSID be a nice compromise?
Can you detect/protect against wireless man-in-the-middle attacks? A good Wireless IDS system will be able to detect and in some cases protect against a wireless hi-jacking attack (the first step to compromising onboarding using an open SSID). It would therefore be recommended to consider an enterprise class WISP as part of an onboarding implementation.