Authentication & Captive Portals
Sebastian Büttrich, wire.less.dk edit: March 2010
http://creativecommons.org/licenses/by-nc-sa/3.0/ Captive Portals Captive Portals Captive Portals: Principle
• Browser as authentication tool
• Until authenticated, the users http request is intercepted and redirected by either
– http redirect (returning a 302 code) – IP redirect – DNS redirect / DNS poisoning
• You can whitelist, based on URL, IP, MAC etc Captive Portals: Elements
• The front end: a (set of) web page(s) (“splash page”) for login and feedback, payment. Resides on AP.
• The captive portal engine: manages redirects based on front end input, communicates back to front end.
May reside on AP or server behind. The captive portal engine might communicate with the ...
• Back end user store: LDAP, RADIUS or similar. May also reside locally on AP, in smaller systems.
The three elements are independent in principle. Captive Portals: Downsides • What if the device does not have a browser?
• IP redirect: URL does not match IP for user
• DNS poisoning: DNS info might get cached at client
• Pure DNS implementation easy to circumvent
• In addition to these downsides, there are also circumvention tricks for all of these methods Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing
• Pure DNS implementations can be overwritten, or tunneled through
• In addition to technical security issues, do not forget the human factor and management challenges Captive Portals: Beyond tech
• The success of a portal depends on much more than technology … communication!
• Acceptable Use Policies
• Communication of AUP
• Wording, contacts
• Social engineering Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing
• Pure DNS implementations can be overwritten, or tunneled through
• In addition to technical security issues, do not forget the human factor and management challenges Popular Captive Portals
• CoovaChilli, CoovaAP (integrates the discontinued Chillispot)
• WiFidog
• M0n0wall
• NoCat (discontinued, but still in use)
• Vendor supplied portals, e.g. Microtik
• Cisco
• Aruba
• Aptilo Homegrown Captive Portals
• Coding your own portal is possible and not all that difficult
• For example, a combination of – php pages, – mysql/RADIUS – iptables Example: Coova on Ubiquiti & Linksys
• Coova combines several Open Source elements, closed extensions and web based services (part free, part commercial)
• Coova firmware (OpenWRT based) exists for Linksys WRT54, and can be made to work for Ubiquiti in different ways
• Binary firmware for Ubiquiti still missing (status: March 2010) Example: Coova on Ubiquiti
Options:
• Build it into Ubiquitis AirOS via SDK http://coova.org/node/3685 or use the binary: https://www.coova.net/Controllers/UbiquitiAirOS
• Flash OpenWRT onto the Ubiquiti, add Coova-Chilli packages
• Use open-mesh / ROBIN firmware - see: http://dev.open-mesh.com
More options to come! That was it ...
Thank you!
[email protected] http://wire.less.dk
Sebastian Büttrich, wire.less.dk edit: March 2010
http://creativecommons.org/licenses/by-nc-sa/3.0/