Decrypt Over-the-Air Packet Captures in 802.1X SSIDs

Introduction

This document describes how to decrypt Over-the-Air Packet Captures for 802.1X WLANs with troubleshooting tools available on the Catalyst 9800 WLC.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• How to configure an 802.1X WLAN in the Catalyst 9800 WLC
• How to take Radioactive Traces with conditional debugging enabled in the Catalyst 9800 WLC
• How to take Over-the-Air Packet captures using either an Access Point in Sniffer Mode or a Macbook with its Wireless Diagnostics tool

Components Used

The information in this document is based on these software and hardware versions:

• Catalyst 9800-L WLC, Cisco IOS® XE Cupertino 17.9.3
• Catalyst 9130AXE Access Point in Sniffer mode
• Cisco ISE Version 3.3
• Wireshark 4.0.8

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Once an identity is validated through EAP+8021X, wireless traffic is encrypted using the Pairwise Transient Key (PTK) generated from handshake between the supplicant and the authenticator, which uses the Pairwise Master Key (PMK) to be calculated. This PMK is derived from the Master Session Key (MSK). The MSK is included in the Attribute Value Pairs of the RADIUS Access-Accept Message (encrypted using the RADIUS Shared Secret). As a result, traffic can’t be transparently seen in an Over-the-Air packet capture, even if the four-way handshake gets intercepted by a third party.

Typically, the generation of the PMK implies packet captures being taken in the wired network, knowledge of the RADIUS Shared Secret and some coding to extract the values of interest. Instead, with this method, one of the tools available to troubleshoot on the Catalyst 9800 WLC (Radioactive Traces) is used to obtain the MSK, which then can be used in any well-known packet analysis tool, such as Wireshark.

Note: This procedure only works for WPA2 since the information needed to calculate the Pairwise Transient Keys (PTK) is exchanged over the air through the 4-way handshake. Instead, in WPA3, Simultaneous Authentication of Equals (SAE) is performed through what is known as the Dragonfly handshake.

Configure

Step 1. Start the Radioactive Trace of the Endpoint of Interest

On your Catalyst 9800 WLC, go to Troubleshooting > Radioactive Traces and click on the Add button to type the MAC address of the device whose traffic is to be decrypted.

MAC Address added to the Radioactive Traces List

Once you’ve added it, make sure to click on the Start button at the top of the list to enable Conditional Debug. This allows you to see the information exchanged in the data plane (the MSK is here).

Device added to the radioactive trace list with conditional debug enabled.

Note: If you don’t enable Conditional Debugging, only traffic in the control plane can bee seen, which does not include the MSK. Refer to the Conditional Debugging and Radioactive Tracing section of the Debug & Log Collection on the Catalyst 9800 WLC Troubleshooting document for further information on this.

Step 2. Obtain an Over-the-Air Packet Capture

Start the Over-the-Air packet capture and connect your endpoint to the 802.1X WLAN.

You can obtain this Over-the-Air packet capture either using an Access Point in Sniffer mode, or with a Macbook using its Wireless Diagnostics built-in tool.

Note: Ensure that the Packet capture includes all 802.11 frames. Most importantly, it is imperative that the four-way handshake is captured during the process.

Observe how all traffic past the four-way handshake (packets 475 to 478) is encrypted.

Encrypted wireless traffic.

Step 3. Generate and Export the Radioactive Trace of the Device

In the same screen as Step 1, click on the green Generate button once you’ve captured the wireless traffic.

In the time interval pop-up window, select the time frame that matches your needs. It’s not necessary to enable internal logs here.

Click Apply to Device to generate the Radioactive Trace.

Time interval for RA Trace.

Once the Radioactive Trace is ready, a download icon is shown right next to the Trace file name. Click it to download your Radioactive Trace.

Radioactive Trace available for download.

Step 4. Obtain the MSK from the Radioactive Trace

Open the downloaded Radioactive Trace file and search for the eap-msk Attribute after the Access-Accept message.

2022/09/23 20:00:08.646494126 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: Received from id 1812/143 172.16.5.112:0, Access-Accept, len 289
2022/09/23 20:00:08.646504952 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: authenticator 8b 11 23 7f 6a 37 4c 9a - dd e0 26 88 56 6a 82 f5
2022/09/23 20:00:08.646511532 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: User-Name [1] 7 "Alice"
2022/09/23 20:00:08.646516250 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: Class [25] 55 ...
2022/09/23 20:00:08.646566556 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: EAP-Message [79] 6 ...
2022/09/23 20:00:08.646577756 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: Message-Authenticator[80] 18 ...
2022/09/23 20:00:08.646601246 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: EAP-Key-Name [102] 67 *
2022/09/23 20:00:08.646610188 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: Vendor, Microsoft [26] 58
2022/09/23 20:00:08.646614262 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: MS-MPPE-Send-Key [16] 52 *
2022/09/23 20:00:08.646622868 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: Vendor, Microsoft [26] 58
2022/09/23 20:00:08.646642158 {wncd_x_R0-0}{1}: [radius] [15612]: (info): RADIUS: MS-MPPE-Recv-Key [17] 52 *
2022/09/23 20:00:08.646668839 {wncd_x_R0-0}{1}: [radius] [15612]: (info): Valid Response Packet, Free the identifier
2022/09/23 20:00:08.646843647 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] Received an EAP Success
2022/09/23 20:00:08.646878921 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] Entering idle state
2022/09/23 20:00:08.646884283 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] Posting AUTH_SUCCESS on Client
2022/09/23 20:00:08.646913535 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0000.0000.0000:capwap_9000000c] Setting EAPOL eth-type to 0x888e, destination mac to 0093.3794.2730
2022/09/23 20:00:08.646914875 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0000.0000.0000:capwap_9000000c] Sending out EAPOL packet
2022/09/23 20:00:08.646996798 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 4, EAP-Type = 0
2022/09/23 20:00:08.646998966 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] EAP Packet - SUCCESS, ID : 0x95
2022/09/23 20:00:08.647000954 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0000.0000.0000:unknown] Pkt body: 03 95 00 04 
2022/09/23 20:00:08.647004108 {wncd_x_R0-0}{1}: [dot1x] [15612]: (info): [0093.3794.2730:capwap_9000000c] EAPOL packet sent to client
2022/09/23 20:00:08.647008702 {wncd_x_R0-0}{1}: [auth-mgr] [15612]: (info): [0093.3794.2730:capwap_9000000c] Authc success from Dot1X, Auth event success
2022/09/23 20:00:08.647025898 {wncd_x_R0-0}{1}: [auth-mgr] [15612]: (info): [0093.3794.2730:capwap_9000000c] Raised event APPLY_USER_PROFILE (14)
2022/09/23 20:00:08.647033682 {wncd_x_R0-0}{1}: [auth-mgr] [15612]: (info): [0093.3794.2730:capwap_9000000c] Raised event RX_METHOD_AUTHC_SUCCESS (3)
2022/09/23 20:00:08.647101204 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : username 0 "Alice"
2022/09/23 20:00:08.647115452 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : class 0 43 41 43 53 3a 30 42 30 35 31 30 41 43 30 30 30 30 30 30 31 41 36 42 45 46 33 34 37 35 3a 69 73 65 6c 61 62 2d 75 77 75 2f 34 38 34 36 32 34 34 35 31 2f 33 38 
2022/09/23 20:00:08.647116846 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : EAP-Message 0 <hidden>
2022/09/23 20:00:08.647118074 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : Message-Authenticator 0 <hidden>
2022/09/23 20:00:08.647119674 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : EAP-session-id 0 "O×.Ê$2VÖï<úiUˆú ”­ó>“>ƒôE9Æ#1oÊ0ÖÕM°8p’ŠÀ1ò¿–ã‡|¥–p”½"
2022/09/23 20:00:08.647128748 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : MS-MPPE-Send-Key 0 c7 22 cb f0 93 31 02 a4 1b b0 2f 0a 76 9b b2 23 81 0c b1 e1 4f b6 37 2e 8e 33 78 22 3d c8 1d 7d 
2022/09/23 20:00:08.647137606 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : MS-MPPE-Recv-Key 0 fb c1 c3 f8 2c 13 66 6e 4d dc 26 b8 79 7e 89 83 f0 12 54 73 cb 61 51 da fa af 02 bf 96 87 67 4c 
2022/09/23 20:00:08.647139194 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : dnis 0 "A4-9B-CD-AA-18-80"
2022/09/23 20:00:08.647140612 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : formatted-clid 0 "00-93-37-94-27-30"
2022/09/23 20:00:08.647141990 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : audit-session-id 0 "0B0510AC0000001A6BEF3475"
2022/09/23 20:00:08.647158674 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : eap-msk 0 fb c1 c3 f8 2c 13 66 6e 4d dc 26 b8 79 7e 89 83 f0 12 54 73 cb 61 51 da fa af 02 bf 96 87 67 4c c7 22 cb f0 93 31 02 a4 1b b0 2f 0a 76 9b b2 23 81 0c b1 e1 4f b6 37 2e 8e 33 78 22 3d c8 1d 7d 
2022/09/23 20:00:08.647159912 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : eap-emsk 0 
2022/09/23 20:00:08.647161666 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : method 0 0 [dot1x]
2022/09/23 20:00:08.647164452 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : clid-mac-addr 0 00 93 37 94 27 30 
2022/09/23 20:00:08.647166150 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : intf-id 0 2415919116 (0x9000000c)
2022/09/23 20:00:08.647202312 {wncd_x_R0-0}{1}: [auth-mgr] [15612]: (info): [0093.3794.2730:capwap_9000000c] Method dot1x changing state from 'Running' to 'Authc Success

The value followed by the eap-msk string is the MSK. Copy this and save it to use it in the next step.

2022/09/23 20:00:08.647158674 {wncd_x_R0-0}{1}: [aaa-attr-inf] [15612]: (info): Applying Attribute : eap-msk 0 fb c1 c3 f8 2c 13 66 6e 4d dc 26 b8 79 7e 89 83 f0 12 54 73 cb 61 51 da fa af 02 bf 96 87 67 4c c7 22 cb f0 93 31 02 a4 1b b0 2f 0a 76 9b b2 23 81 0c b1 e1 4f b6 37 2e 8e 33 78 22 3d c8 1d 7d 

Step 5. Add the MSK as an IEEE 802.11 Decryption Key in Wireshark

On Wireshark, go to Wireshark > Preferences > Protocols > IEEE 802.11.

Check the box that says “Enable decryption” and then select Edit, right next to Decryption keys.

Click on the “+” button at the bottom to add a new decryption key and select msk as the key type.

Paste the eap-msk value obtained in Step 4 (without spaces).

Finally click on OK to close the Decryption keys window and then also click on OK to close the Preferences window and apply the decryption key.

Decryption key added to the wireshark preferences.

Step 6. Analyze the Decrypted 802.1X Traffic

Observe how the wireless traffic is now visible. In the screenshot, you can see ARP traffic (packets 482 and 484), DNS Queries and Responses (Packets 487 and 488), ICMP traffic (Packets 491 through 497) and even the start of the three-way-handshake for a TCP session (packet 507).

Decrypted wireless traffic.