WPA and DHCP

Hi,

Wonder if anyone can help.

On our office network (Active Directory, DHCP, DNS etc) we have three
NETGEAR WN802T used as
access points for laptops onto the network. These AP's are secured
using WPA-PSK with a long and
complicated key, and they have had default ssid's, passwords etc
changed.
Looking through DHCP on the Server I noticed two address leases from
computers outside our domain.

Trying to narrow down the likely culprits, I wonder is it likely to be
someone with access to the WPA key
or is WPA still not secure enough to stop unauthorized access?

Question: Should WPA stop the DHCP server offering leases through the
Access points?

Any help much appreciated.

Alister.

On 13 Apr 2007 06:09:28 -0700, "Alister" <alister.gcs@hotmail.co.uk>
wrote in <1176469768.759260.89010@d57g2000hsg.googlegroups. com>:

>Wonder if anyone can help.
>
>On our office network (Active Directory, DHCP, DNS etc) we have three
>NETGEAR WN802T used as
>access points for laptops onto the network. These AP's are secured
>using WPA-PSK with a long and
>complicated key, and they have had default ssid's, passwords etc
>changed.
>Looking through DHCP on the Server I noticed two address leases from
>computers outside our domain.
>
>Trying to narrow down the likely culprits, I wonder is it likely to be
>someone with access to the WPA key
>or is WPA still not secure enough to stop unauthorized access?

WPA is still secure with a strong passphrase.
Might they have been wired to your network?

>Question: Should WPA stop the DHCP server offering leases through the
>Access points?

Yes. Your passphrase might have been compromised, or those might be old
leases. Suggest you clear the DHCP server, change your key
(passphrase), and see what happens. And consider switching to RADIUS,
thereby avoiding the problems of a shared key.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

"Alister" <alister.gcs@hotmail.co.uk> hath wroth:

>On our office network (Active Directory, DHCP, DNS etc) we have three
>NETGEAR WN802T used as
>access points for laptops onto the network. These AP's are secured
>using WPA-PSK with a long and
>complicated key, and they have had default ssid's, passwords etc
>changed.
>Looking through DHCP on the Server I noticed two address leases from
>computers outside our domain.

DHCP from the server acts quite differently than a DHCP in a wireless
router. If the DHCP server were located in the wireless router, then
a DHCP lease would NOT be issued to any random wireless client that
has not successfully exchanged WPA encryption keys and survived
authentication (802.1x). Therefore, you should not see any unusual or
unauthorized wireless clients (if the DHCP server were on the wireless
router.

However, your DHCP server is in the Windoze server (assumed 2003) and
will issue DHCP leases to literally anything that plugs into the
network. That can be laptops, PDA's, game machines, network printers,
and just about anything that can play DHCP client. It also includes
wireless clients, but only after they have exchanged WPA keys and
authenticated.

>Trying to narrow down the likely culprits, I wonder is it likely to be
>someone with access to the WPA key
>or is WPA still not secure enough to stop unauthorized access?

Zero. It's something local on your network. Grab the MAC addresses
from the log file and paste them into:
<http://coffer.com/mac_find/>
My guess(tm) is that you'll find that it's a printer manufacturer or
something equally mundane.

>Question: Should WPA stop the DHCP server offering leases through the
>Access points?

Yes. WPA is you first, main, and best line of wireless security. If
you're truely paranoid, and have a suitable Windoze Server 2003 or
Linux server, then setup RADIUS athentication. That will give you a
unique WPA key for each user and each session so that there's no
chance that a shared WPA key leaks out to the world.

Incidentally, it's VERY easy for users to decrypt the WPA key on a
client computer, making the security of such shared key systems to be
rather lacking.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Alister wrote:
> Hi,
>
> Wonder if anyone can help.
>
> On our office network (Active Directory, DHCP, DNS etc) we have three
> NETGEAR WN802T used as
> access points for laptops onto the network. These AP's are secured
> using WPA-PSK with a long and
> complicated key, and they have had default ssid's, passwords etc
> changed.
> Looking through DHCP on the Server I noticed two address leases from
> computers outside our domain.
>
> Trying to narrow down the likely culprits, I wonder is it likely to be
> someone with access to the WPA key
> or is WPA still not secure enough to stop unauthorized access?
>
> Question: Should WPA stop the DHCP server offering leases through the
> Access points?
>
> Any help much appreciated.
>
> Alister.
>
You would be much better off using RADIUS server instead of the PSK method.

On 13 Apr, 20:59, George <geo...@nospam.invalid> wrote:
> Alister wrote:
<snip>

Thank you to all of you for your replies,

It turns out to have been a laptop one of our users smuggled in, and
it was a wired connection.

Just to show my complete iggerance of new fangled stuff, we run an
exclusively windoze 2000
domain, so does that affect whether we can run a RADIUS server?

Thank you again for your information

Alister

On Apr 13, 4:26 pm, "Alister" <alister....@hotmail.co.uk> wrote:
> On 13 Apr, 20:59, George <geo...@nospam.invalid> wrote:> Alister wrote:
>
> <snip>
>
> Thank you to all of you for your replies,
>
> It turns out to have been a laptop one of our users smuggled in, and
> it was a wired connection.
>
> Just to show my complete iggerance of new fangled stuff, we run an
> exclusively windoze 2000
> domain, so does that affect whether we can run a RADIUS server?
>
> Thank you again for your information
>
> Alister

Short answer: yes. Better answer: DAGS on something like
["windows 2000 server" radius] and sort through 150K hits.

Lotsa good books on the subject. Mark Minasi's come to mind,
for NT family server config. Mark even provided howto for setting
up such a service before MS named it "RADIUS" for "Remote
Authentication Dial-In User Service."

Except for quickie kludges, there's really no substitute for RTFM.

HTH,
J

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message

How do you reconcile this:

> WPA is you first, main, and best line of wireless security.

With this:

> Incidentally, it's VERY easy for users to decrypt the WPA key on a
> client computer, making the security of such shared key systems to be
> rather lacking.

Curious to see your response.

<barry@sme-online.com> wrote in message
> Except for quickie kludges, there's really no substitute for RTFM.

Too bad, isn't it, that Microsoft has never been big themselves on issuing
FM's, huh?

"Maxwell Edison" <majoringin@medicine.com> hath wroth:

>"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
>
>How do you reconcile this:
>
>> WPA is you first, main, and best line of wireless security.
>
>With this:
>
>> Incidentally, it's VERY easy for users to decrypt the WPA key on a
>> client computer, making the security of such shared key systems to be
>> rather lacking.
>
>Curious to see your response.

Easy. WPA encryption cannot easily be decrypted (key recovery) by
sniffing traffic over the air. None of the techniques that work so
well with WEP encryption will work with WPA. However, that doesn't
secure the key from physical attack.

There are two basic types of WPA encryption. WPA-PSK and WPA-RADIUS.
Over the air, they look identical. What's different is that WPA-PSK
(pre-shared key) has a common static key for all users on the system.
The key is inscribed into the access point or wireless router on
initial installation and usually left in place forever. The key is
also inscribed into all the client computers and saved in an encrypted
form so that it allegedly cannot be recovered. Well, that is the
basic idea, but as usual, the evil bad guys are very close behind the
security curve. The WPA key is saved in the Windoze registry and can
be recovered with WZCook and others:
<http://www.aircrack-ng.org/doku.php?id=tools>
If I can get my hands on just one of the wireless clients long enough
to either extract the registry entries or run one of several WPA
recovery programs, I will have the WPA key. Once I have the WPA key,
it's quite easy to decrypt all the past captured traffic and perhaps
browse the network looking for machines to compromise.

The key security problem is solved by using WPA-RADIUS. There is no
common shared key with WPA-RADIUS. The WPA key is generated during
the initial connection and the individual authorization and
authentication cerimony. The key is unique for both the session and
the user. It is also a maximum strength key (dependent on the random
rubbish key generator in the RADIUS server). If one key is somehow
leaked, it is useful only for decrypting the session in which it was
used. It cannot be used to decrypt other users traffic or re-used for
a later session. In other words, WPA-RADIUS doesn't have the common
key security problems of WPA-PSK.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Mon, 16 Apr 2007 11:38:27 -0400, "Maxwell Edison"
<majoringin@medicine.com> wrote in
<462398a2$0$9914$4c368faf@roadrunner.com>:

><barry@sme-online.com> wrote in message
>> Except for quickie kludges, there's really no substitute for RTFM.
>
>Too bad, isn't it, that Microsoft has never been big themselves on issuing
>FM's, huh?

It actually did in the past -- the doc set for Microsoft C used to fill
a very big box. Now there's even more material freely published by
Microsoft online.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>