Wireless Authentication

Network Startup Resource Center www.nsrc.org

These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Overview

Define authentication Strengths and weaknesses of captive portals How captive portals work What is Authentication?

Verifying the claim that an entity is allowed to act on behalf of a given known identity

More simply: • Is this person/device who they say they are? • Can they prove it • for example, with password, signature? • In our case, the entity is the software, acting on behalf of the user controlling the computer. Why Is Auth So Complicated?

I am on a computer. Am I its owner? • Device is not the same as person. I am a network administrator • Should I have access to the finance system? I am connecting to the network from home • Should I have access to all my work resources? I am a printer • Should I be able to scp files to the network? Authentication Core Concepts

These are all different concepts: • Confidentiality • Access Control • Authorization • Authentication Confidentiality

Ensure that only those who should have access to information can indeed do so (usually encryption) Access Control

Access control is the mechanisms by which rights & restrictions are controlled & enforced Authorization

Authorization defines what an entity (a user, a device) is authorized (allowed), to access • Which networks (ACLs/filters) • Which systems, which files ? (FS ACLs, permissions) • When can they do that (time policies) ? • Can they run an application or access a service ? Authentication

We want to know: WHO, WHERE(*), WHEN • Which entity? • What AP did they associate with? • When did they log on ? • What IP number did they have? PSK (Pre-Shared Key) cannot tell us this. • Keys can be shared between users & devices. • We can’t know who, where, or when. Authentication Solutions

We recommended two ways to do this: • Captive portal • 802.1X (EAPoL and EAP-TTLS) (Preferred) Your choice depends on: • The size of your organization • The maturity of your IT systems • Your human resources • Available user stores, databases • For example, Active Directory or LDAP Captive Portals: Positive

• Popular (public areas, airports, hotels…) • Flexible • Self-explanatory (web page), can enforce AUP (Acceptable Use Policy) validation • Relatively easy to implement Captive Portals: Negative

• Not transparent • Requires user to interact with the network using a web browser • Not standardized (different looks, different credentials, …) • Requires regular re-authentication (disruptive) Captive Portals: Negative

• Breaks SSL by Man-In-The-Middle (MITM) • Makes assumption about client configuration (e.g. user-specified DNS resolver) • Often unreliable and fragile • Easy to hijack authenticated session Captive Portals: Solutions

Many vendors and open source projects • CoovaChilli • WiFidog • M0n0wall, pfSense • zeroshell Many networking vendors offer captive portals • Aptilo, Aruba, Cisco, HP, Mikrotik, Ubiquiti Captive Portals: Redirection

Any of the following methods can be used:

• HTTP silent redirection • HTTP 30x redirect • IP hijacking • DNS hijacking • Certain URLs may be allowed • e.g. Information, help, use policies pages Captive Portals: OS support

Operating System (OS) requests well-known URL • If success, then user has Internet! ! • If failure, launch minimal browser to allow authentication with captive portal

If you interfere with this process bad things can happen

Don’t whitelist domains so OS thinks it has connectivity

Use a 302 redirect to a valid HTTPS website to collect credentials Captive Portals: Components

A captive portal ,aka Universal Access Method (UAM) needs the following:

Network Access Controller (CoovaChilli, Unifi controller)

RADIUS Server (Freeradius)

Authentication Store (AD, LDAP, DB, or text file) Captive Portals: NAC

Has two network interfaces:

LAN • Offers DHCP lease to all wireless clients • Blocks all HTTPS traffic before auth to avoid cert mismatch • Web server+TLS to request authentication from clients • Captive web portal offers valid SSL certificate (LetsEncrypt!)

WAN • Provides Internet connectivity to authenticated clients

Facilitates authentication session between client and RADIUS Server

Prevents unauthenticated clients from using the network Captive Portals: RADIUS Server

Remote Authentication Dial-In User Service

Provides Authentication, Authorization, and Accounting

Attribute-Value pairs allow for flexibility

Can talk to a variety of auth stores

RFCs 2865, 2868, 5080 Captive Portals: RADIUS Server Authorization conversation looks like:

Client submits credentials to NAC by HTTPS web form

NAC sends Access Request message to RADIUS Server by RADIUS protocol

RADIUS Server checks credentials by PAP/CHAP/EAP against auth store

RADIUS Server replies to NAC with one of: Access Accept Access Reject Access Challenge

RADIUS reply might also specify attributes like VLAN, bandwidth limit, dwell time, etc. for Access Accept Captive Portals: Authentication Store

Common choices • Active Directory • LDAP • SQL db • ASCII text file

Best to reuse an existing credential store if available

Vouchers are common in hotels and coffee shops

APIs can be used for 3rd party payment services like PayPal, HotSpotSystem, etc. Captive Portal: Sample Session

Client requests DHCP address from NAC

Client OS detects captive portal and requests HTTP URL

NAC intercepts URL and 302 redirects to HTTPS login page

Client submits credentials to captive web portal

RADIUS server is queried for authorization

NAC approves/denies network access based on RADIUS response Captive Portal: Diagram

NAC RADIUS Filters / ACLs HTTP server Server Auth application

Authentication Store

Client Questions?