How secure is Captive portal?



  • Hi All,

    Prelude

    A little while ago I was tasked with deploying secure WiFi.

    Soon after I came to a realisation that there is only 2 ways you can go with this

    Wifi + SSL authentication
    Wifi + Captive portal (CP)

    SSL authentication does not fit my specification so I had to go captive portal > pfsense

    My implementation is now complete, I have wifi gateways that authenticate clients via CP, with a radius server pointed to AD. So all my WiFi traffic is routed through pfsense and thus Lan services can be firewalled.
    Security is managed in 3 ways.

    1. Wifi Association
    2. CP Authentication
    3. Access restriction (Firewall)

    Question:

    In my understanding when a client authenticates with CP its mac address is added to a list of allowed addresses through CP. But if I can associate with a network I can ARP for MACs and spoof my mac. What then?

    Thank you.



  • It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.



  • @cmb:

    It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.

    +1 - Get better switches


Log in to reply