Authentication & Captive Portals

Sebastian Büttrich, wire.less.dk edit: March 2010

http://creativecommons.org/licenses/by-nc-sa/3.0/ Captive Portals Captive Portals Captive Portals: Principle

• Browser as authentication tool

• Until authenticated, the users http request is intercepted and redirected by either

– http redirect (returning a 302 code) – IP redirect – DNS redirect / DNS poisoning

• You can whitelist, based on URL, IP, MAC etc Captive Portals: Elements

• The front end: a (set of) web page(s) (“splash page”) for login and feedback, payment. Resides on AP.

• The captive portal engine: manages redirects based on front end input, communicates back to front end.

May reside on AP or server behind. The captive portal engine might communicate with the ...

• Back end user store: LDAP, RADIUS or similar. May also reside locally on AP, in smaller systems.

The three elements are independent in principle. Captive Portals: Downsides • What if the device does not have a browser?

• IP redirect: URL does not match IP for user

• DNS poisoning: DNS info might get cached at client

• Pure DNS implementation easy to circumvent

• In addition to these downsides, there are also circumvention tricks for all of these methods Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing

• Pure DNS implementations can be overwritten, or tunneled through

• In addition to technical security issues, do not forget the human factor and management challenges Captive Portals: Beyond tech

• The success of a portal depends on much more than technology … communication!

• Acceptable Use Policies

• Communication of AUP

• Wording, contacts

• Social engineering Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing

• Pure DNS implementations can be overwritten, or tunneled through

• In addition to technical security issues, do not forget the human factor and management challenges Popular Captive Portals

• CoovaChilli, CoovaAP (integrates the discontinued Chillispot)

• WiFidog

• M0n0wall

• NoCat (discontinued, but still in use)

• Vendor supplied portals, e.g. Microtik

• Cisco

• Aruba

• Aptilo Homegrown Captive Portals

• Coding your own portal is possible and not all that difficult

• For example, a combination of – php pages, – mysql/RADIUS – iptables Example: Coova on Ubiquiti & Linksys

• Coova combines several Open Source elements, closed extensions and web based services (part free, part commercial)

• Coova firmware (OpenWRT based) exists for Linksys WRT54, and can be made to work for Ubiquiti in different ways

• Binary firmware for Ubiquiti still missing (status: March 2010) Example: Coova on Ubiquiti

Options:

• Build it into Ubiquitis AirOS via SDK http://coova.org/node/3685 or use the binary: https://www.coova.net/Controllers/UbiquitiAirOS

• Flash OpenWRT onto the Ubiquiti, add Coova-Chilli packages

• Use open-mesh / ROBIN firmware - see: http://dev.open-mesh.com

More options to come! That was it ...

Thank you!

[email protected] http://wire.less.dk

Sebastian Büttrich, wire.less.dk edit: March 2010

http://creativecommons.org/licenses/by-nc-sa/3.0/