Background & Vulnerability Client (Supplicant) AP (Authenticator) Radius Auth Server Associate + EAP Key Exchange w/ Server Cert User Auth inside TLS Send MPPE Key Send encryption Keys Sniff packets. Wired risky, wireless undetectable. VLAN separation does not mitigate sniffing. Radius key known or attacked offline, see draft. Wireless data decryption, can be offline. |