Server Certificate Validation

 

You have secured your wireless network. You use WPA2-Enterprise for encryption with 802.1X to authenticate your users. Each user has a strong, unique password and knows better than to write it on a sticky note next to his or her monitor. The RADIUS server is connected to the IDP and everything is encrypted so nobody can listen in on your conversations or read your data. Your network is secure, right?

Unfortunately, there’s still a final precautionary step to prevent over-the-air credential theft: Server Certificate Validation. A common method of stealing authentication data is credential farming through a Man-In-The-Middle attack.

https://www.securew2.com/wp-content/uploads/2019/03/Over-the-Air-Credential-Theft.png

Over-The-Air Attacks Are Fast and Effective

A common method of stealing authentication data is credential farming through a Man-In-The-Middle attack, a specific type of over-the-air attack. An attacker who is determined to gain unauthorized access to your network need only set up an imitation SSID near your network or a location where organization members meet. Once the imitation SSID is configured, they simply sit back and watch as users unknowingly connect to the wrong network and send their credentials straight to the attacker.

Users have no idea they have been tricked and the attacker can gain multiple credentials sets in  minutes. Even if passwords are encrypted, there are numerous tools available to the public that will quickly decrypt them. So how can attackers be prevented from farming credentials from the beginning?

Preventing Authentication Theft

Server certificate validation is a foolproof process that guarantees users will never send their authentication information to the wrong SSID. At the beginning of the authentication process, the RADIUS server and user device will communicate with one another and perform a cryptographic handshake, during with the RADIUS will present a server certificate. If the certificate is recognized as legitimate by the device, it knows that it is sending their authentication data to the correct place.

To enable server certificate validation requires the use of a Public Key Infrastructure (PKI) to distribute a certificate to the RADIUS. There are 3 primary options for obtaining a server certificate.

  1. Use a server certificate from a Public Certificate Authority (CA), such as Verisign, Thawte, or GoDaddy.
  2. Manually create a self-signed certificate and place it on the RADIUS.
  3. Employ a 3rd party Private CA vendor to create a certificate authority specifically for your network.

While all three require the network admin to configure the RADIUS and equip it with a server certificate, the real difficulty lies in end user configuration. The process requires manually configuring the CA or installing the certificate, setting options to verify the certificate, entering the domain of the trusted RADIUS server, and more. The steps also vary between different devices and OS, which is a given in any complex network environment.

man in black jacket sitting on brown wooden chair

Requiring the end user to configure their device for server certificate validation is asking for endless lines at the IT helpdesk. Even with a comprehensive setup guide, users will be confused by the high level process. Not to mention, asking IT to configure users’ devices is a monumental task that directs them away from value-add activities.

The JoinNow Solution

When it comes to simplifying certificate configuration, SecureW2 is second to none. SecureW2’s JoinNow MultiOS technology enables end users to easily self-configure in minutes. There’s no lengthy configuration guide or going into the settings. JoinNow shortens the process to a few clicks and entering IDP credentials. Once completed, users are automatically configured to your network’s specifications.

The JoinNow solution is vendor-neutral and easy to use for admins and end users. The added security is non disruptive to the day-to-day use of your network and adds invaluable protection against over-the-air attacks. Check out SecureW2’s pricing page to see if the JoinNow solution could secure your network.