9800 – Decrypt 802.1X Traffic

Tags

,

If you read my previous post on PCAP with 9800, you may already know that you can decrypt 802.1X traffic (for a client connected to 9800 managed AP) when you take a packet capture from 9800 (Trunk ports that connect to switch). However, if you take over-the-air capture, it is very difficult to obtain those MSK (Master Session Keys) from the RADIUS server to decrypt it. If you read WiFiNinja’s this blog post, you understand the work involved to get those MSK to decrypt traffic, it is a bit of work.

If you have a Cisco 9800, you can very easily obtain those MSK for a given client (who connects to 9800 managed AP). You only need to take a radioactive trace for a given wireless client MAC address while capturing over-the-air PCAP. If you take the PCAP from WLC (Troubleshooting -> Packet Capture), you will natively see your traffic in decrypted fashion. However, in the FlexConnect scenario, you will not see client traffic going to WLC (in the Local Switching scenario). In that way, you may still want to decrypt over-the-air PCAP for a given client.

Below is my test topology for the post, my client (Pix3) connecting to Cisco 9117 AP(local mode) on CH132-40MHz on MRNX SSID.

You can simply enable RA trace for the given client mac address as shown below

debug platform condition feature wireless mac 3293.de03.1619
debug platform condition start
.
.
debug platform condition stop
show logging profile wireless start last 30 minutes to-file bootflash:ratr-pix3-mrnx-1.txt
copy flash:ratr-pix3-mrnx-1.txt ftp://192.168.99.100

Over-the-air PCAP using Jetson nano & here (nano-pix3-mrnx-1.pcapng) is the file for your reference. Here is the traffic flow filtered for client MAC address & excluding control frames (Wireshark display filter – wlan.addr == 32:93:de:03:16:19 && not wlan.fc.type == 1). If you look at Frame No 305, you will see encrypted traffic, which is expected.

Since we have taken RA trace for this client’s MAC address, that includes all details of this conversation. Since the RADIUS server passes those MSK detail to WLC, you can very easily extract that from the trace file. If you want, you can save that trace file & search eap-msk or you can search it without saving the file to bootflash. Below shows the 2nd option.

C9800-1#show logging profile wireless start last 5 minutes | in eap-msk 
2022/08/31 21:43:38.324877 {wncd_x_R0-0}{1}: [aaa-attr-inf] [18107]: (info): Applying Attribute :              eap-msk   0 a1 07 cd 97 19 51 3d c9 28 0e 3b 45 f7 f2 4f 17 3a 5f 57 91 e3 b5 6e 1b 8a a0 1a ad 40 40 07 42 bf 09 dc 24 07 78 bc 8a d2 38 c2 e3 4b e0 cf f0 23 64 ac 10 19 1e e0 8a ed 84 98 0b 48 11 9d dd 
2022/08/31 21:43:38.326117 {wncd_x_R0-0}{1}: [aaa-attr-inf] [18107]: (info): Applied User Profile:             eap-msk   0 a1 07 cd 97 19 51 3d c9 28 0e 3b 45 f7 f2 4f 17 3a 5f 57 91 e3 b5 6e 1b 8a a0 1a ad 40 40 07 42 bf 09 dc 24 07 78 bc 8a d2 38 c2 e3 4b e0 cf f0 23 64 ac 10 19 1e e0 8a ed 84 98 0b 48 11 9d dd 
2022/08/31 21:45:48.792474 {IOSRP_R0-0}{1}: [parser_cmd] [32119]: (note): id= 192.168.129.102@vty0:user=rasika cmd: 'show logging profile wireless start last 10 minutes | in eap-msk' SUCCESS 2022/08/31 21:45:37.681 AEST

You have to copy that value (remove those spaces) & applied it under Wireshark “Edit > Preferences > Protocol > 802.11 > Decryption Keys > MSK >” as shown below

Now if you go back & check the same frame again, you will see it is a DCHP Request message. Everything has been decrypted for this client.

I have accessed a HTTP website that you should be able to see in this packet capture. Go & Find which unsecured website I visited once I connected to my SSID.

This is how you can easily decrypt over-the-air capture taken for a wireless client connect to 9800 manage AP (Flex or Local mode). Hope you enjoy seeing some decryption for your 802.1X traffic 🙂

Here are some useful References
1. Wireshark & Free RADIUS config to decrypt 802.1X