new prism (connexant)

Derek Schuff schuffdl at ornl.gov
Tue Jun 15 11:36:04 EDT 2004


This is possible; however i think this is a problem endemic to 802.11, since 
802.11 management frames are unauthenticated, allowing spoofing of not only 
EAPOL logoff frames, but 802.11 disassociate frames as well. This is one 
reason everyone says to never use WLAN as critical infrastructure. I think 
this was also how the (in)famous LEAP dictionary attack was mounted: spoof 
the EAP logoff, then sniff the password hash when the client has to log back 
on.
In the wired world, maybe you could make your switch smart enough to check the 
existing bridge table and drop EAPOL logoff frames that don't come from the 
right switch port, or something like that. 

On Tuesday 15 June 2004 09:35 am, Denis Vlasenko wrote:
> On Tuesday 15 June 2004 11:41, Jim Thompson wrote:
> > On Jun 14, 2004, at 8:52 PM, Luis R. Rodriguez wrote:
> > > On Mon, Jun 14, 2004 at 10:22:53AM +0300, Sergey Basmanov wrote:
> > >> Hello,
> > >> Who knows if new prism chips
> > >> (http://www.conexant.com/products/entry.jsp?id=28) compatible with
> > >> hostap?
> > >> If any, which cards uses this chips?
> > >> I've searched all local stocks for any prism-based card that
> > >> compatible
> > >> with hostap, but without any success.
> > >>
> > >> Thank You.
> > >
> > > For prism GT see http://prism54.org
> > >
> > > AP support is available. WEP AP support is availble, WPA is on the
> > > works
> > > (it will use wpa_supplicant from hostap project).
> >
> > Yes, but what about WPA as an AP (or even 802.1x as an AP)?
>
> Isn't 802.1X fatally flawed?
>
> 802.1X-2001.PDF:
>
> <quote>
> 7.9 Use of EAPOL in shared media LANs
>
> The use of individual MAC addresses with EAPOL (7.8)
> permits the use of EAPOL in shared media LAN environments,
> and  in particular, this has been allowed in order to support
> the use of Port-based Network Access Control in IEEE 802.11
> wireless LAN infrastructures. However, it should be noted that
> such use can only be made secure if communication between the
> Supplicant and Authenticator systems takes place using a secure
> association. Attempting to use EAPOL in a shared medium environment
> that does not support the use of secure associations renders
> Port-based network access control highly vulnerable to
> attack;  for example, station A can mount a successful
> denial of service attack on station B simply by issuing
> an EAPOL-Logoff packet using station B's individual MAC address.
> </quote>
>
> For me, it translates into:
> "802.1X is useless for wired LANs and 802.11"
> Am I missing something?



More information about the HostAP mailing list