As with almost everything in wireless security, there are conditions and qualifications. But for Wi-Fi networks that are properly using 802.1X authentication, and that have transport layer security properly implemented, then the impact [of this exploit] is essentially zero, vonNagy says.

The reason for that is because enterprise Wi-Fi security is a two-step process, first creating a secure encrypted tunnel, using the aforementioned Transport Layer Security, between the wireless client and a RADIUS server (authenticating the server) and only then using MS-CHAP to authenticate the client. If the first step is properly implemented, and MS-CHAP protected, the Defcon tools are helpless to attack it, according to vonNagy.

The argument he advances in his blog post even assumes that the tools demonstrated at Defcon can in fact crack MS-CHAP completely. His point: It doesnt matter.

Heres why.

As Microsofts own webpage , PEAP is one member of a family of Extensible Authentication Protocol (EAP) protocols. It relies on Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, for example a laptop or tablet, and a PEAP authenticator, in this case an enterprise Remote Authentication Dial-In User Service (RADIUS) server. PEAP can work with a variety of EAP authentication methods, one of them being EAP-MS-CHAPv2, which work inside the encrypted tunnel.