On Wed, 13 Feb 2008 12:35:43 -0500, BrettMcClellan
<(E-Mail Removed)> wrote:
>Scenario - Windows 2000 Domain called ABC.com using IAS policies with
>PEAP authentication.
OK.
>Question - Does the authentication of a wireless client go as deep as
>the SID of the client to authenticate? Or just the computer and user
>account info?
No SID is used, which would authenticate the machine, not the user.
IAS is Microsoft's implimentation of RADIUS authentication.
<http://technet2.microsoft.com/windowsserver/en/library/e9a30a60-7f8b-435f-b210-d47c3b7ecb961033.mspx?mfr=true>
There's a sample transaction that gives an idea of what gets sent. It
varies by the type of connection.
>Could somebody create a domain the same as ABC.com and join their
>laptop to that domain using the same computer name, username and
>password as a computer on the real ABC.com domain. Then go into the
>building of ABC and get authenticated successfully onto the real ABC.com
>wireless network?
No. Authentication would fail at the RADIUS authenticator and MS-CHAP
challenge steps. What's missing is that the spoofed client does not
have a valid certificate. See above URL under "authentication
process". Note that the SID (system ID) is used with AD (Active
Directory) forests, which you're probably not running on W2K server.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
(E-Mail Removed)
#
http://802.11junk.com (E-Mail Removed)
#
http://www.LearnByDestroying.com AE6KS
Similar Threads
Linear Mode
