Wifi Security

As of January 2015, Virginia Tech now offers several ways to connect to wifi:

VT-Wireless Encryption

VT-Wireless supports two methods of connection: PEAP-MSCHAPv2 with a network password and EAP-TLS with certificates.

The instructions provided for setting up both methods do not configure your device to properly validate the TLS server certificate. In some situations, such as on Android, it is not possible to configure proper validation at all, while on other platforms it requires additional setup which is not documented by CNS. Failure to set up this proper validation means that the access points you connect to are not properly authenticated, so anyone can set up a rogue “VT-Wireless” access point and use it to conduct a man-in-the-middle attack on your traffic. If done properly, this will be completely transparent to you.

In the case of PEAP-MSCHAPv2, where you use your PID and network passphrase to authenticate, this lack of authentication also means that anyone who has setup a rogue access point can conduct attacks to recover your network passphrase, allowing someone to impersonate you on both wifi and the VPN. Although MSCHAPv2 is supposed to protect against this, design flaws in the protocol rendered the protections it claims to provide useless. Some of the attacks on MSCHAPv2 are detailed below.

Best Practice Recommendations

Due to the severe MSCHAPv2 vulnerabilities, users are urged to setup certificates for authentication. Instructions for doing so on Linux are available on VTLUUG’s wiki, and CNS directly supports Windows and OS X.