OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP

Linus Lüssing linus.luessing at c0d3.blue
Sat Jun 22 14:51:45 PDT 2024


On Thu, Jun 20, 2024 at 11:46:58AM +0800, kinbell4 wrote:
> EAP-TLS does not need trusted AP, certificate will prevent fake server,

EAP-TLS does need a trusted AP: If your RADIUS/TLS server
accepts any AP / RADIUS/TLS client with any client certificate
then I could setup my own rogue, MitM AP. Then in the final
RADIUS Accept message the RADIUS server would
send the pairwise-master-key to my rogue AP. And my
AP would now be able to see the decrypted frames
from/to the WiFi client. And would be able to see and potentially
manipulate what the WiFi client tries to access on the internet.

> your design require AP side to have CCMP key, it is still the same problem,
> any internet traffic will also need to be decrypted before sending to WAN.
> 

The original idea was to have no keys on the AP.
The WiFi AP would not encrypt/decrypt the packets and would
just proxy the encrypted CCMP frames to some remote authenticator
which then would decrypt/encrypt instead. For the remote
authenticator to have the keys the AP would not only proxy the
encrypted payload but would also forward the EAPoL frames to the
remote authenticator. The remote authenticator would then run the
RADIUS client instead of the WiFi AP.



More information about the Hostap mailing list