Advisory: EAP-PWD Vulnerability

Download as PDFDownload as PDF

Released: 15th April 2019

This advisory is relevant only to  eduroam(UK) Home (IdP) (and Home and Visited) service organisations that are supporting the EAP-PWD authentication method – hence will be potentially applicable only to organisations running the FreeRADIUS, Radiator, Aruba ClearPass RADIUS servers or any other servers supporting EAP-PWD (ie not Microsoft NPS). It’s aim is to bring to the attention of our community the vulnerability in the EAP-PWD method and describes the position of the Wi-Fi Appliance together with recommend actions to be taken.

Background and scope:

The EAP-PWD vulnerability was discovered by the Belgian researcher Mathy Vanhoef of the University of Leuven and first publicised on 10th April and has received considerable attention, see Whilst we believe very few member organisations will be affected, this advisory serves to alert any that support EAP-PWD and are not already aware. The FreeRADIUS, Radiator, Aruba ClearPass RADIUS servers and possibly some other servers are capable of supporting EAP-PWD, but Microsoft NPS does not (it primarily supports PEAP/MSCHAPv2). For users to be utilising the EAP method, your ORPS would need to be configured to support it as would the user clients (Android, Windows and wpa_supplicant at least support EAP-PWD).

The Wi-Fi Alliance position is described in the Security Considerations arising from the vulnerability:


Vanhoef’s paper about the Dragonfly algorithm used by WPA3 and EAP-PWD can be found here:

FreeRADIUS (3.0.19) and OSC (Radiator (4.23)) have released patches for their RADIUS servers already. ClearPass users should check their support vendor’s or Aruba’s sites.

On the client side, wpa_supplicant is already mostly patched and the following document provides more detailed information about the vulnerability:

The Wi-Fi Alliance has issued its own response to this vulnerability on the day of disclosure.  

Less technical overview:

Technical overview:

Security Considerations arising from the vulnerability:

Note the Wi-Fi Alliance does not include EAP-PWD in any of its certification programmes, so the content of the above is centred on the WPA3-Personal (SAE) aspect of the vulnerabilities.

Nonetheless, the Security Considerations document contains some amount of advice for EAP-PWD since it is based on the same underlying algorithm and thus shares significant amount of pertinent security properties.

Action advised:

It is recommended that all affected organisation update their EAP-PWD EAP peers (RADIUS servers and clients).