How secure is Captive portal?
-
Hi All,
Prelude
A little while ago I was tasked with deploying secure WiFi.
Soon after I came to a realisation that there is only 2 ways you can go with this
Wifi + SSL authentication
Wifi + Captive portal (CP)SSL authentication does not fit my specification so I had to go captive portal > pfsense
My implementation is now complete, I have wifi gateways that authenticate clients via CP, with a radius server pointed to AD. So all my WiFi traffic is routed through pfsense and thus Lan services can be firewalled.
Security is managed in 3 ways.- Wifi Association
- CP Authentication
- Access restriction (Firewall)
Question:
In my understanding when a client authenticates with CP its mac address is added to a list of allowed addresses through CP. But if I can associate with a network I can ARP for MACs and spoof my mac. What then?
Thank you.
-
It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.
-
@cmb:
It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.
+1 - Get better switches