ByPassing Captive Portal With Proxy

tux

I can't believe that the captive portal is so easy to by pass through the squid proxy.  Is there anyway we can prevention method to such attempt?
Here is a demo: https://www.youtube.com/watch?v=71XMJ6DqpcE

Gertjan

Euh  :)

Squid listing on an accessible non 'local' IP on LAN ?
Portal running on LAN instead a dedicated OPTx ?

This video shows that stupid network admin exists  (lousy setup, etc)…. Well, that is not new ....

Nachtfalke

@tux:

I can't believe that the captive portal is so easy to by pass through the squid proxy.  Is there anyway we can prevention method to such attempt?
Here is a demo: https://www.youtube.com/watch?v=71XMJ6DqpcE

Just enable the checkbox on squid GUI which says:

Enable this option to force captive portal to non transparent proxy users.
NOTE: You may need to reapply captive portal config after changing this option.

tux

@Gertjan Can you enlighten me/us more?

Gertjan

Well …

The video shows a possibility to access the proxy directly, (port 3182). That doesn't seem normal to me. Even port "22" is 'open' On a portal interface ??? => No way .... that's not a sesious setup.

The video shows a pfSense version 1.2.3 - that like says: "Windows has a bug, and demonstrating a XP issue from back then ... " - same thing for the SQUID version used ...

The video shows a portal install on LAN, or, I'm convinced is always better to use a separate OPTx interface.

You saw what Nachtfalke said ? I'm not using squid, but it seems clear to me that its all about a "admin setup error".

jahonix

@tux:

I can't believe that the captive portal is so easy to by pass through the squid proxy.  Is there anyway we can prevention method to such attempt?

Yes, get your network setup right.
Use an additional interface exclusively for your captive portal users. The rest has been said already.

tux

Thanks @Gertjan for that.  I'm actually using the stable version of squid.  I think squid3 beta is the best option for me now though I would prefer the stable version.  I actually need captive portal users to use the proxy server which we heavily do caching.  Thank you everyone!