How secure is Captive portal?

spd21

Hi All,

Prelude

A little while ago I was tasked with deploying secure WiFi.

Soon after I came to a realisation that there is only 2 ways you can go with this

Wifi + SSL authentication
Wifi + Captive portal (CP)

SSL authentication does not fit my specification so I had to go captive portal > pfsense

My implementation is now complete, I have wifi gateways that authenticate clients via CP, with a radius server pointed to AD. So all my WiFi traffic is routed through pfsense and thus Lan services can be firewalled.
Security is managed in 3 ways.

1. Wifi Association
2. CP Authentication
3. Access restriction (Firewall)

Question:

In my understanding when a client authenticates with CP its mac address is added to a list of allowed addresses through CP. But if I can associate with a network I can ARP for MACs and spoof my mac. What then?

Thank you.

cmb

It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.

capnsteve

@cmb:

It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.

+1 - Get better switches