3

Is it possible to use Captive Portal for WiFi and WPA2-EAP at the same time?

Is there any EAP supporting Captive Portal?

For example - user connects to WiFi, goes to Captive Portal over unsecure WiFi (but using TLS), then after logon, the EAP is completed and user starts using his own WPA key just like in WPA2-EAP authentication?

If I want to use Captive Portal, is there any way to protect traffic from network sniffers?

user128766
  • 73
  • 1
  • 5
  • In what scenario do you imagine a captive portal exposes users to network sniffing attacks? – Polynomial Oct 26 '16 at 14:46
  • 1
    With captive portal there isn't PSK (Pre-Shared Key), so that with plain WiFi monitoring I can read all packets with wireshark. That's what I tested last time on some random Captive Portal. So I wonder, if there's a way to encrypt this traffic, ideally with dedicated key per each user using it like in WPA2-EAP. – user128766 Oct 26 '16 at 14:53
  • Why does it have to be encrypted at the 802.11 level? Why not just use TLS on the captive portal? – Polynomial Oct 26 '16 at 15:04
  • 1
    WPA-EAP works this way: 1. connect to wifi without authentication 2. perform EAP aiuthentication 3. after success, establish encrypted wifi. So of course captive portal can be over TLS. But after authentication on captive portal, I'd like to establish encrypted wifi like with WPA2-EAP, as on the captive portal next door there isn't any after successful logon. – user128766 Oct 26 '16 at 15:14
  • If there isn't standard to do it, I can propose one. – user128766 Oct 26 '16 at 15:15
  • There's no standard I'm aware of; you'd have to implement it yourself. Use TLS for the captive portal, generate a set of credentials after they've filled out the details on that portal and display them to the user, pass the credentials through a back-channel to the WPA2-EAP authentication server, then have the user log onto the authenticated AP. – Polynomial Oct 26 '16 at 15:17
  • 2
    Alternatively, you could implement a similar setup using 802.1X authentication on the network. Have unauthenticated users sit on one VLAN which can reach the captive portal, then move them to an authenticated VLAN once they've gone through 802.1X authentication. The 802.1X-2010 specification provides network-level encryption (802.1AE) once the user is authenticated. The WiFi itself will still be "open", but the network layer traffic is encrypted separately. – Polynomial Oct 26 '16 at 15:21
  • For the moment big sign "guest/guest" with windows and android screenshots are working ok – user128766 Oct 26 '16 at 15:28

1 Answers1

2

Is it possible to use Captive Portal for WiFi and WPA2-EAP at the same time?

Yes is absolutely possible

How to achieve it?

In General it is achieved by giving wall gardened access to user even if he and successfully authenticated EAP authentication , it is called chaining eap authentication with webauth , i have done this is cisco wlc and free radius environment quite easily

Is there any EAP supporting Captive Portal ?

Coova offers this functionality with its very basic version which can be found at 

http://coova.github.io/CoovaChilli/WPACaptivePortal/

for over view the request and respose of Radius is as :-

Access-Request packet from host 192.168.100.200:2084, id=14, length=171
    User-Name = nobody
    EAP-Message = 0x020200061900
    ChilliSpot-Config = allow-wpa-guests
    Calling-Station-Id = 00-11-24-90-XX-XX
    Called-Station-Id = 00-06-25-C5-XX-XX
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 1
    NAS-IP-Address = 192.168.100.200
    NAS-Identifier = 00:06:25:c6:xx:xx

    .. EAP Access Challenge/Request and TLS Termination ..

 Sending Access-Accept of id 19 to 192.168.100.200 port 2084
    ChilliSpot-Config := require-uam-auth
    MS-MPPE-Recv-Key = 0x317f2c50e739bd69d14be1d09ec111abe3f562886879b70eee16395637dc5eb5
    MS-MPPE-Send-Key = 0xcbc74e30dce41c343b4afe0ea90b7a6413b659bba3a330bcd265da9df4e85ae7
    EAP-Message = 0x03070004
    User-Name = nobody

Hope this will help you

Arjun sharma
  • 660
  • 3
  • 20