Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
10
Helpful
5
Replies

Wireless security and scanning

Wesoley
Level 1
Level 1

‎03-31-2022 12:46 PM - edited ‎03-31-2022 02:16 PM

We have deployed our wireless setup - WLC 3504 -> AP3800 series -> Cisco ISE -> CORP-Wireless with Certificate. Everything is working as expected. However, our security engineer  has scanned using ''airmon-ng" scanning & logging all access point & client device broadcasts. He is was then able to gather details on the LDAP user and the specific OU where the user resides along with the PKI details -
ldap:///CN=CA,CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=com? Btw, I am using EAP-TLS for the authentication.

Is this normal that such details are in plaintext? What specific security parameter can be configured to mitigate this information sharing via a scan?

Labels:
0 Helpful
5 Replies 5

Wesoley
Level 1
Level 1

‎04-01-2022 01:52 AM

Seems like this is not an issue but it's a normal part of the EAP-Identity Response frame send by Supplicant and this outer identity is in cleartext.

 

0 Helpful

Flavio Miranda
VIP
VIP

‎04-01-2022 04:06 AM

  There is solution for that but the problem in Wi-Fi network is all the same: Client compatibilty.  You can enable MFP (Management Frame protection) and this will cryptographic managements frames between AP and Clients. The problem is that,most probably , your clients does not support MFP and if they dont and you enable it on the WLC, they will all drop from the network cause they will not undestand management frame anymore.

You can also play with wpa3 which is more secure then wpa2 but the same problem, your clients will not support it.

 

Wesoley
Level 1
Level 1
In response to Flavio Miranda

‎04-01-2022 05:32 AM

Hi @Flavio Miranda, thanks for the feedback. I did enable MFP (Management Frame protection) last night and this morning some clients were not able to connect. Windows 10 version 2004 supports WPA3 but I know it is mandatory to support MFP and client and AP has to negotiate it. Will have to do some testing and see.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Wesoley

‎04-01-2022 05:45 AM

That´s great.  Honestly I never dare to enable this feature due clients incompatibility. The same for wpa3.

But, if you had the chance and can handle this situation inside the company, that´s greate and keep we posted.

0 Helpful

ammahend
VIP
VIP

‎04-01-2022 06:21 AM - edited ‎04-01-2022 06:25 AM

some of this information is also present in client certificate, you can get it simply by wireshark capture over air, see the example enclosed where one can see client information that you mentioned over wireless.

As other mentioned MFP and WPA3 will address some the issues related to protecting management frame exchange.

the information itself can not be used for authentication, but can certainly be useful for reconnaissance

 

client info from eap-tls capture.JPG

-hope this helps-
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card