Attack Methodology Adversary captures request and response authenticators Mounts brute-force/dictionary attack against secret Adversary uses secret to: Forge Access-Accept frames Decrypt MPPE for EAP keys Response Auth = MD5(code + id + len + request auth + attributes + secret) |