MS-CHAP V2 and server certs

MS-CHAP V2 and server certs
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
MS-CHAP V2 and server certs tweaked540@gmail.com 11-20-2006
Posted by tweaked540@gmail.com on November 20, 2006, 9:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have a question about IAS, PEAP
MS-CHAP V2, and wireless. I am using MS-CHAP V2 to authenticate PDAs
on our wireless network. Because we are using MS-CHAP V2, we are using

AD credentials to authenticate the clients. Everywhere I have read it
states that we have to install the server certificate onto the device.
I have found a loop hole though. Both on the wireless PDA and laptops,

we can choose not to validate the server certificate. I can still
authenticate to the IAS server (wireless) but I have not installed the
server cert onto the device (because I have unchecked the validate
server checkbox both in zero config and the wireless application).
This is my question, if we don't validate the server and if we don't
have the server cert, won't the transmission of the user account and
password be in clear text? Is there a way on the IAS server that we
have to force the clients to have the server cert or they wont be
authenticated?

Thanks,
Peter Kim


Posted by S. Pidgorny on November 21, 2006, 4:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
No, it won't. The decision not to validate the server certificate is kinda
self-explanatory: you risk submitting your credentials to untrusted
(potentially malicious) access control server.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

>I have a question about IAS, PEAP
> MS-CHAP V2, and wireless. I am using MS-CHAP V2 to authenticate PDAs
> on our wireless network. Because we are using MS-CHAP V2, we are using
>
> AD credentials to authenticate the clients. Everywhere I have read it
> states that we have to install the server certificate onto the device.
> I have found a loop hole though. Both on the wireless PDA and laptops,
>
> we can choose not to validate the server certificate. I can still
> authenticate to the IAS server (wireless) but I have not installed the
> server cert onto the device (because I have unchecked the validate
> server checkbox both in zero config and the wireless application).
> This is my question, if we don't validate the server and if we don't
> have the server cert, won't the transmission of the user account and
> password be in clear text? Is there a way on the IAS server that we
> have to force the clients to have the server cert or they wont be
> authenticated?
>
> Thanks,
> Peter Kim
>



Similar ThreadsPosted
How to extend expiry for Server Certs issued with W2k3 CA November 27, 2006, 5:19 am
wireless PEAP with EAP-MSCHAP v2 authentication - certificate spoof possible? October 23, 2006, 4:41 pm
How do I delete my old ca certs... February 19, 2008, 10:45 am
Digital certs June 13, 2008, 11:17 am
subordinate ent CAs don't publish certs to AD after Win 2k3 SP1 July 23, 2005, 1:00 pm
using certs in non-domain environments: January 23, 2008, 10:40 pm
Generate Verisign certs for one or two year ? August 9, 2005, 1:08 pm
Trusting Certs from Non Trusted root March 23, 2007, 6:38 pm
Expired Certs (This MUST be basic question) June 25, 2007, 9:15 pm
help understanding private/public certs September 2, 2007, 5:30 pm

The site map in XML format XML site map

Contact Us | Privacy Policy