CaptivePortal - possibilities to encrypt Username/password or voucher codes ?



  • Hi,

    on pfsense 2.0.x I can found the possibilitie to run CaptivePortal as http on port 8000 and as httpS on port 8001.
    Is this the only way to make the connection between client and CP secure so that noone can do man-in-the-middle and sniff the username/password or voucher code ?

    On pfsense 2.1 there are new possibilities of using "PAP", "CHAP", "MSCHAP", "MSCHAPv2".
    Would this make the connection secure between client and CP ?

    I am thinking of the problem that I have many clients in my guest network LAN/WLAN and I want to avoid that someone is sniffing someone else's credentials to get access through the CP. I would be interested in way how to manage that the "best" way.

    At the moment I am using freeradius2 package as backend for CP and username/password combinations. In future there should be additional access with vouchers.

    Thank you for your suggestions and have a nice easter weekend :)



  • I can't think of any way to prevent password sniffing / MitM attack against an open hotspot with CP auth other than using httpS or password-protect the WLAN with WPA2 with a "public" password (the latter was suggested by the author of the Firesheep plugin which demonstrated interception of unencrypted cookies from websites like Facebook and Twitter - note: I've not researched the validity of this method myself).

    The other methods you mentioned are used for securing the communication between the RADIUS server and pfsense CP acting as NAS (instead of sending password in plaintext over the public Internet, if those two devices are at different locations).



  • Thank you dhatz,

    my intention or the intention of my boss is that noone but only the user itself does know the password and nobody can sniff this the easy way as plaintext.

    What's happening after the authentication with the guest's computer is "not important" for us. So you are right - firesheep could catch cookies and so on.

    Whe I am using CP with https I need a certificate. A self-signed one will probably cause the guest's browser to show a warning. Do I have to buy a certificate for that ? Any idea where to get such a certificate which will be accepted by browsers and are "cheap" ? Or isn't this possible ;)

    –- edit ---
    I am using freeradius and I am thinking about the fact to use WLAN with 802.1X and use PEAP. This would encrypt WLAN traffic and I probably could combine it with CP credentials.



  • @Nachtfalke:

    Whe I am using CP with https I need a certificate. A self-signed one will probably cause the guest's browser to show a warning. Do I have to buy a certificate for that ? Any idea where to get such a certificate which will be accepted by browsers and are "cheap" ? Or isn't this possible ;)

    Yes, it's no different than any other SSL website. You'll need to buy a SSL cert issued by a CA that is included in all the popular browsers, or the user will get a big scary warning.

    Btw it's quite trivial to impersonate a user on an open WLAN (by spoofing his MAC address and IP), even if you can't capture his voucher code due to SSL-protected CP login page, so keep it in mind.

    I'd be inclined to use a WPA2-protected WLAN for "permanent" users (logging in with their own username/password) and a different WLAN open for occasional guests using vouchers. It's the well-known tradeoff between security and ease of use.



  • ou'll need to buy a SSL cert issued by a CA that is included in all the popular browsers, or the user will get a big scary warning.

    check out 'startssl' . free ssl certs supported by major browser vendors. The free one is only valid for 1 year, the paid certs are cheap and last longer.
    i'm using this with pf CP atm


Locked