WPA2-Enterprise security

[warrmr]

Hi guys,

I have a few questions to ask around here and it concerns the security of a WPA2-Enterprise secured wireless network.
I have just baught myself a ZyAIR G2000 Plus wireless router and i have gone for this one because it has a inbuilt cutdown RADIUS server that supports 32 clients and im abit paranoied about wireless networks in general.

Now from what i understand of WPA2 enterprise is that it consists of 2 parts Association and Authentication. so there are 3 things that are needed to be able to use the network they are a valid certificate, a username and a password.

I think if you forged the certificate you could still associate with the AP but without the username password you could not authenticate with RADIUS therefore not be able to access the network resources.

What i am asking is how secure it this setup i know the most secure way is not to have wireless and limit physical access to the network, but this is not a choice in my new flat as i wont be able to wire up the network points without getting a network engeneer contractor to do it and pay through the nose ( a term of my lease that any electrical/plumbing or communication works have to be contracted out).

Also with the certificates there are 2 options the first is to goto a CA like verisign and get one of theres and pay lots of money or the second is to use the inbuilt CA and make your own self certifyed certificate.
How easy would it be for a malitious person to spoof the certificate for my AP?

One final note I am NOT asking how to hack/crack WPA2-enterprise i just want to know if its possible and how easy it is and if its been done before.
I know WEP and WPA-PSK has been done and now anyone can do it with readly avalable software off the interent and minimum *nix knowlage.

Also I currently own a netgear fvs124G router/firewall vpn box, that i am replacing with this AP now i want to know is there a way of rigging this up on the LAN side of the AP to act as a VPN server so that i could dial into my network and allow my sister access while she is at uni. I dont want to have to setup a dedicated VPN server i woudl prefer if it was in some form of low power embedded device ( i know this is asking alot.)

[Qs]

Weirdly I found exactly the same post on the remote exploit forums (Link)

Anyway... Information which may calm your worries can be found at the following:-

Wi-Fi Protected Access - Link

Additional information specifically concerning WPA2 - Link


Hope this helps.

Qs

[warrmr]

Quote:

Originally Posted by Qs

Weirdly I found exactly the same post on the remote exploit forums (Link)

Anyway... Information which may calm your worries can be found at the following:-

Wi-Fi Protected Access - Link

Additional information specifically concerning WPA2 - Link


Hope this helps.

Qs

The posts were made by the same person what are the chances :P
thanx for the links looks like there is abit of info there to read

[Qs]

Quote:

Originally Posted by warrmr

The posts were made by the same person what are the chances :P

Really? lol

Quote:

Originally Posted by warrmr

thanx for the links looks like there is abit of info there to read

No problem, hope it quells your worries. If not, there's always alcohol.

[warrmr]

after reading through those links it looks like WPA2 is very secure and then combined with an authentication protocol like Peap/RADUS no one is going to get far.

the wikipedia aretical doesnt really cover much abotu WPA2 enterprise but im assuming it will use the same AES encription protogol alongside the PEAP/RADIUS authentication.


so the weakest points will be the indervidual users passwords and the Preshared Key if one is used.

and the certificate is hard to fake without knowing the things used to generate it and if its from an online CA then its really hard to fake. or am i looking at things the wrong way.

Cryptography is well over my head so im just pulling bits that i understand aout of all of the acrimons and complicated bits.

[Qs]

Glad the information helped you

Everyone's a bit paranoid about wireless but yeah, make sure your key/passwords are chosen well and you should be fine.

Qs

[BosonMichael]

I think we've found someone to take GBLs place during his 3-month absence.

In truth, when GBL returns, I won't even need to post anymore!

[Qs]

Quote:

Originally Posted by BosonMichael

I think we've found someone to take GBLs place during his 3-month absence.

[warrmr]

This is what i love about this forum, you ask a qurestion and you get an answer within a few hours. where as my thread on the remote exploit forums that Qs linked to with the same question has been viewed 86 times and not one reply.

[Mr.Cheeks]

The love for CF is strong!