WPA Enterprise - is ARP Spoofing Possible?

[dawson111]

If one has legitimate access to an unsecured, WEP, or WPA PSK network, then one can use ARP spoofing (plus SSL Strip).

Is this possible for WPA / WPA2 - Enterprise?

I am not talking about cracking WPA but what one can do after legitimately connecting.

Edit:

Presumably the idea is something like this.

With WPA PSK all clients have the same key. Therefore someone on the network can ARP spoof and intercept traffic because he has the PSK.

But with WPA Enterprise, keys are individual. Therefore, the attacker on the network still cannot ARP Spoof because he will not have the key of the client or clients (for broadcast spoofing) of which he is trying to MITM.

Or am I completely wrong?

Thanks.

[aeronavi]

I think in WPA-PSK each client also has unique key (called PTK). this key is derived from PSK+2 random numbers and MAC of both computers. this always happens when a client connect to AP (this is why you need to capture the handshake to decrypt packets on monitor mode). So by your logic this wouldnt be possible to, but the fact is that it works in my experience and Im almost sure that it works in wpa-enterprise too, as i think i remember testing.
Now you put me thinking about it, and you get me confused about "why it works?"

I think its because the packets before reach you are sent to router first, then are reencypted and sent to your ip using the encryption your wireless card knows..

its somethig like this i think its happening
normal connection:
victim->router->internet and vice versa

arpspoofed:
victim->router->yourpc->router->internet and vice versa