The key link in this chain then is the mutual authentication between the RADIUS server and the wireless client, vonNagy says. The client must properly validate the RADIUS server certificate first, prior to sending its credentials to the server.
And therein lies the potential vulnerability. If the client fails to properly validate the server, then it may establish an MS-CHAPv2 session with a fake RADIUS server and send its credentials along, which could then be cracked using the exploit that was shown at Defcon, says vonNagy. This is a classic man-in-the-middle attack, with the attackers inserting their RADIUS server in the middle of a conversation between the client and the user database store (typically a directory server).
So the critical thing is to ensure that the client properly validates the RADIUS server. This is done via trusted certificates, deployed either by the client platform vendor and PKI systems such as Entrust, Thawte, Verisign and others, or by network administrators using tools such as Microsoft Group Policy Objects, Apples Lion Server Profile Manager for OS X clients or iPhone Configuration Utility for iOS clients.
What vonNagy then focuses on is enabling Microsoft and Apple clients to accept specific trusted certificates and no others, while at the same time blocking them from manually accepting untrusted certificates. For example, when an Apple iPhone tries to associate to a Wi-Fi access point -- and no profile has been deployed to the client for that SSID -- the user receives an onscreen prompt that declares the server as not verified but then offers a button to accept the connection and proceed anyway.
This is likely not ideal, since users typically have a hard time distinguishing what a certificate means and whether or not they should proceed, vonNagy says, with classic understatement.
Instead, for corporate networks with 802.1X authentication deployed, all clients including personally owned devices, should be loaded with a profile for each 802.1X SSID that the user will need, vonNagy recommends. Then, if the client is presented with an untrusted certificate, the connection will be rejected automatically. On the iPhone, for example, a popup informs the user Unable to join Network Aruba1X and presents only a Dismiss button to cancel the popup.
Don't fall into the trap for BYOD of letting users connect on their own and try to decipher the certificate prompt, vonNagy warns. Establish a sound personal device on-boarding process which deploys a configuration profile to the device upon successful enrollment and policy acceptance. There are numerous ways to do this, ranging from simple solutions such as sending them a profile in an email or providing a web URL where users can download the profile, to more complex solutions such as MDM integration that allow self-registration and zero IT involvement.