79

Context: I have a laptop supplied by my organisation. I am trying to connect to eduroam, but I cannot do it using my organisation's laptop. When I use a personal computer, it asks me for a username and password, just as a standard wifi network asks for password.

I found the text below in the internal IT policy. I need help understanding it. To me it's totally counterintuitive:

Using hotel, coffee shop and public WiFi hotspots

You may be able to connect your laptop to use the WiFi in hotels, coffee shops etc but this depends on how the WiFi is set up:

  • if it’s “open” (that is, you don’t need any password to connect) then you should be OK
  • if it’s set up so that you need a password to connect to the WiFi (and this password is given to you by the establishment) then again, you should be OK
  • if however you can readily connect to the WiFi but you need to enter a username and/or password in your web browser software, then you will not be able to access the service.

The security standards to which our laptops are built, means that they cannot connect directly to a “dirty” or insecure internet connection – everything goes via the secure VPN connection into our IT network. So the user can’t get to the web page where they’d need to type in a password, without first connecting to the VPN – and they can’t connect to the VPN without first getting to the web page.

So basically, I can use my work's laptop in a coffee shop where the network is shared by anyone (for which so much has been written against, e.g. here). I can also use it in a network with password security only, for which there is even a WikiHow (!) guide on hacking. And yet, I cannot use it in a network that requires both username and password, which surely must be much more difficult to hack into.

What is this sense of security that underlies my organisation? Am I missing something?

Anders
  • 64,406
  • 24
  • 178
  • 215
luchonacho
  • 1,341
  • 2
  • 9
  • 14
  • 9
    I think that they might be trying to warn you against phishing attacks. Some networks require that you enter a username and password on their own login screen, such things can later be used for password reuse attacks and other malicious activity. I don't think they're talking about something like WPA2 Enterprise Credentials which I'd imagine is perfectly fine to use. – xorist Aug 28 '18 at 11:49
  • 1
    The following does not answer your question, but will solve your problem: You can connect to eduroam using "username@example.com" with your normal username (without any "backslash" domain specifiers, so not "EXAMPLE\username@example.com") and password, supplied directly as the WiFi username and password. – Sanchises Aug 28 '18 at 12:55
  • 1
    “network is shared by anyone” e.g. the internet. The internet is insecure. Having some one not let random strangers not use the internet connection, is not about your security, it is about theirs. – ctrl-alt-delor Aug 28 '18 at 15:49
  • 42
    They didn't say it was or wasn't secure, they just said it wouldn't work... – user253751 Aug 29 '18 at 03:38
  • 1
    I wouldn't be surprised if this kind of reminder were about phishing, in the loosest sense of the term - prompt for a username and password even without any context and you'll often get one. – John P Aug 29 '18 at 06:43
  • 1
    Key words, "in your web browser software". – Willtech Aug 29 '18 at 21:07
  • I'm extremely confused by this question. Does your organization offer eduroam on premises? If not, what makes you think that your credentials will enable you to connect to it? Eduroam is typically a reciprocal agreement, i.e. you offer it to others at your institution so that your users will be able to use it elsewhere. This means that it is easy to set up: you make sure that your device can access it at your institution, where you can ask your IT department for help, and the same configuration will (or at least should) work everywhere else. If you don't have it locally, something is broken. – E.P. Aug 30 '18 at 11:14
  • @E.P. I do part time work and part time study. Thus, I have access to my company's computer and also to my university's internet credentials. Nothing strange here. I just want to use my office's laptop when I'm at uni, for emails and stuff. – luchonacho Aug 30 '18 at 11:28
  • 11
    I feel the title of the question is quite misleading. It's not "no password" vs "username + password", it's "captive portal" vs "open wifi" – BgrWorker Aug 30 '18 at 15:24
  • 4
    @BgrWorker It is not misleading if you consider I did not know the concept of captive portal. If I had known that, this question would have not existed. – luchonacho Aug 30 '18 at 16:57
  • The title made me think of Remote Desktop; no password = no connection. Passwords can be guessed. AFAIK, with no password at all you can't establish a RD. – Mazura Aug 31 '18 at 02:29
  • You ask, "how is password less secure than no password?", but you have made a mistake in thinking that "no password" is ever an option. Even on open wifi connections, your computer is storing and using a longer and more secure password than would be feasible for you to remember yourself in its VPN configuration. – Daniel Wagner Aug 31 '18 at 13:22
  • 1
    @luchonacho it's still misleading, just unintentionally. – ESR Sep 03 '18 at 05:23
  • This has got to be the worst, most misleading question title on all of stackexchange. Also, the IT explanation is clear and you should probably try reading it again. – aaa90210 Sep 06 '18 at 02:45

8 Answers8

169

They have configured the laptops to spin up a VPN connection and only speak to "home base" after they go on the network. That means that if there is a local "captive portal" that requires you to enter credentials, you will not be able to use it, because that would require evading the VPN.

(It's a chicken and egg thing. No VPN, no ability to reach the portal - no portal, no ability to spin up the VPN!)

It is more secure because they are ensuring that, no matter what connection you have, any network traffic you send goes through your company's network, your company's controls, and is not subject to interception or manipulation by any other party.

It unfortunately breaks the case of Wireless with a "captive portal," but allowing for that case would lower their security by allowing your machine to talk to arbitrary machines directly rather than through the VPN.


The "eduroam" service that you mention in the comment explicitly states that they do not have a captive portal, but use WPA-Enterprise based on 802.1X:

Does eduroam use a web portal for authentication?

No. Web Portal, Captive Portal or Splash-Screen based authentication mechanisms are not a secure way of accepting eduroam credentials.... eduroam requires the use of 802.1X...

802.1X is the kind of authentication you need to enter to configure your machine to connect to the network, so this case is one that your IT policy explicitly states that they allow:

if it’s set up so that you need a password to connect to the WiFi (and this password is given to you by the establishment) then again, you should be OK

In fact, eduroam appears to be very well aligned with your IT policy - they both distrust the "bad security" imposed by captive portals.


Based on the edit to the original question:

I am trying to connect to eduroam, but I cannot do it using my organisation's laptop. When I use a personal computer, it asks me for a username and password, just as a standard wifi network asks for password.

That suggests to me that your organization's laptop is simply not prompting you to connect to new networks the same way that your personal computer is. This could be because of different operating systems or different policies applied to the two computers. You may simply want to ask your IT group for help configuring 802.1X for connection to the eduroam network; using that keyword will make it clear to them you're trying to do something they allow.

user1686
  • 1,041
  • 8
  • 17
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Thanks!, but the network I want to connect does not have such captive portal, as far as I know. It is an [eduroam](https://www.eduroam.org/) network. It requires a username and password **even before** I connect. My personal computer just asks me for the un/pw before connecting, as any other wifi just asking for password. – luchonacho Aug 28 '18 at 12:10
  • 3
    @luchonacho Thats not covered in the text you posted. See "if however you can **readily connect to the WiFi but you need to enter a username and/or password in your web browser software**, then you will not be able to access the service." – Qwertie Aug 28 '18 at 12:12
  • @Qwertie Correct. Updated the answer. I thought context was unimportant, but well, it might be important! – luchonacho Aug 28 '18 at 12:15
  • But the policy only says password and not username and password. – luchonacho Aug 28 '18 at 12:16
  • 27
    @luchonacho username vs username + password is not important. What they are trying to say is the network must give you untampered access as soon as you are able to connect to it. Eduroam username+password does this but many public wifis attempt to hijack your http requests to show you a login page. Not many wifi networks ask for a username and a password when connecting which is probably why they forgot to mention it as a safe method. – Qwertie Aug 28 '18 at 12:19
  • 2
    @gowenfawr, If the backend to the 802.11x is RADIUS, it's unlikely his organization's VPN would support it or allow it. It's an application layer protocol (TCP/UDP port 1812). – Nathan Goings Aug 28 '18 at 15:26
  • 14
    @NathanGoings in 802.1x with RADIUS, the supplicant (client) speaks to the authenticator (AP) using EAP, and the authenticator talks to the authentication server using RADIUS. So the client never needs to speak RADIUS; the EAP packets are part of the 802.11 WPA/WPA2 protocol. And as part of the 802.11 transport layer, they're pre-IP-network and not subject to the VPN. – gowenfawr Aug 28 '18 at 15:37
  • 1
    @gowenfawr, You're right! I completely forgot about that portion. – Nathan Goings Aug 28 '18 at 16:21
  • 17
    Eduroam is notoriously complicated to set up (on the client), due to how different providers (= Universities) choose to accept credentials. In theory it’s supposed to be standardised and trivial to set up; in practice some Eduroam providers need to provide multi-page PDF manuals to their customers to guide them through the setup process for each operating system, and *still* users get confused (even power users). OP’s inability to connect may have nothing to do with the corporate laptop and more with the provider’s implementation of it. – Konrad Rudolph Aug 28 '18 at 16:32
  • 2
    @KonradRudolph, your statement is completely wrong. Eduroam isn't notoriously complicated to set up, the only part that may be complicated is the initial 802.1X EAP supplicant configuration of the OS (which is then true for any 802.1X connection) but even that can be simple if the organization uses a decent onboarding solution. While there are many different providers as part of eduroam, your authentication should always be securely (i.e. TLS tunnel) proxied back to your home institution so the process should not change for a user from one provider to the next. – YLearn Aug 28 '18 at 18:50
  • 4
    @YLearn It should not change, correct. But it just factually *does*. I’ve been a member of several European University-affiliated institutes in the past and I can vouch that the process of setting up Eduroam has differed greatly between them. Furthermore, this isn’t just based on my personal experience but is an extremely common complaint. – Konrad Rudolph Aug 28 '18 at 18:55
  • 2
    @KonradRudolph, if you are talking about different institutions using different authentication methods/credentials, then yes each institution determines the best method for *their own users* as has always been the case (with or without eduroam). However, a single user's authentication does not change when visiting other member institutions because it is proxied back to their home institution. A user moving from one institution to the next is typically seamless and as simple as it gets. Again, your "complaint" isn't about eduroam, it is about 802.1X EAP supplicant configuration. – YLearn Aug 28 '18 at 19:07
  • 4
    @YLearn I’m not complaining, I’m *explaining* why OP is having difficulties despite using a network with a (somewhat) standardised configuration. – Konrad Rudolph Aug 28 '18 at 19:46
  • 1
    @KonradRudolph, that doesn't make sense. Most corporations use 802.1X for at least wireless if not both wireless and wired. 802.1X configuration would likely be part of such a standardized configuration already. – YLearn Aug 28 '18 at 21:14
  • 1
    @YLearn Again, 802.1X setup isn’t the issue of Eduroam (at least not exclusively). Eduroam configuration is probably completely unrelated to OP’s corporation’s setup. In fact, as far as I can tell 802.1X isn’t even necessarily required for Eduroam (only to connect as a guest to a *different* host institute). – Konrad Rudolph Aug 28 '18 at 21:18
  • 2
    @KonradRudolph, again, you aren't making sense to me. The only eduroam configuration issue for client devices is the 802.1X EAP supplicant. What else could you possibly be referring to as there is no other client configuration required. But I agree that this is now a "rabbit trail" discussion that is no longer helpful to the OP's question. – YLearn Aug 28 '18 at 21:23
  • 1
    @gowenfawr how does your answer align with this statement from the policy **"if it’s set up so that you need a password to connect to the WiFi (and this password is given to you by the establishment) then again, you should be OK"** ? – Rsf Aug 29 '18 at 07:16
  • 6
    @Rsf that statement describes WPA/WPA2 integrated authentication. The most common case for that is password-only, but it's functionally equivalent to EAP username+password. Setup may differ, but it still operates during the WPAx handshake and won't be inhibited by a VPN requirement, unlike the captive portal method. So in short, when they say "password", the mean "WPA/WPA2 authentication, which is *usually* password, but could be *username+password*" as the OP is experiencing here. – gowenfawr Aug 29 '18 at 12:01
  • 1
    I'm a regular eduroam user, and can testify that it's been a pain to set up in the past as @KonradRudolph says. It does seem to have got better in the last few years though. While the difficulty may not be due to eduroam *per se*, the end user won't care that it's their institution's implementation that's making life difficult, all they see is "eduroam" and a set of instructions in which the field names never quite seem to match exactly (and I've seen a requirement to manually add certificates as well) – Chris H Aug 31 '18 at 09:01
  • 1
    eduroam's complexity comes partly from EAP having so many sub-protocols to choose from, partly from sysadmins playing Protocol Lego, partly from client interfaces trying to be completely generic and objective instead of optimizing for the most popular case... If the home org offers PEAP-MSCHAPv2 the setup can be 100% painless (I test mine on Windows, iPads, Androids.) But if the home org _wants_ pain (e.g. client certificates) there will be pain. Finally as YLearn noted, it strictly depends on the _home_ organization, never on the _visited_ org, so you don't need to reconfigure on every trip. – user1686 Sep 03 '18 at 08:40
  • Captive portal **is** a man-in-the-middle attack on your network traffic. It serves a greater purpose of entering a password, or clicking "I agree to terms and conditions" - but typing stackoverflow.com and getting something else constitutes a fully-fledged attack. Your defenses can't tell apart "attack you want" from "attack you don't want", so both are blocked. – Agent_L Sep 03 '18 at 12:03
15

When you first connect to some websites, they require that you give them an email address, or some other piece of data before you can use their service, this page is referred to as a captive portal.

Your company laptop is setup so that when it detects an internet connection, it connects back to your corporate VPN, and then connects back out from there. In most situations, (scenarios 1 and 2 in your question) you can connect to the wifi with a password, or open wifi, tunnel into your corporate VPN, and then connect back out - all of which is done using the service of the wifi you are connecting to.

However, in situation 3 - you may land on a captive portal web page, which requires that you enter some piece of data first in order to connect. However, your laptop is designed in such a way that you must connect to the corporate VPN first. Which means that you can't connect to the VPN because you haven't entered any credentials on a captive portal, and you can't enter the credentials because you haven't connected to the VPN yet.

Hopefully this answers your question a little better than my previous comment. Leave a comment here and i'll update this if you have further questions.

edit: Just to add the reason why a company might have this type of set up is because they can ensure that all traffic passes through their VPN, and allows them to enforce other policies, ie. Acceptable use, etc. Please see @gowenfawr answer for more info above as he has explained it extremely well.

Connor J
  • 1,464
  • 8
  • 11
12

There are already good answers as to the understanding of the policy, but I'm going to talk briefly about eduroam security and connection profiles to make sure that all bases are covered in terms of the answer. I've worked for two universities that offer eduroam and have spent a lot of time working with it.

Eduroam is a global network of universities and other educational institutions that peer together to allow members of one institution access to network resources at another partner institution.

Authentication to eduroam is done through the 802.1x protocol (With MS-CHAP v2 usually the phase 2 authentication, at least in my experience). This is where the AP/Controller use RADIUS to talk to the RADIUS server at the home institution. Assuming all is good, the client is allowed to connect.

Encryption of the wireless packets from the machine to the AP is done with WPA2 (enterprise, hence the 802.1x authentication) encryption.

One of the biggest issues I've seen with eduroam connection profiles is when the operating system submits the logged on user's credentials automatically (this is default in windows 7 and below... I think they changed this in Windows 8). I've also seen an issue where Windows will sometimes try to connect with the machine account, which is not usually authorized by the University (only user accounts are).

Once connected to eduroam, your company will tunnel out the data through their VPN provider. Depending on how the institution where you are trying to connect to has the eduroam network set up, this may or may not work (The one place I worked only allowed some VPNs out while on eduroam, not all).

Allen Howard
  • 241
  • 1
  • 4
  • 2
    Windows 8 and iOS automatically remember the institution's TLS certificate by fingerprint. Older Windows versions weren't completely insecure, but they required _manual_ configuration of the certificate's hostname. Android 7+ requires the hostname to be input as well. – user1686 Sep 03 '18 at 08:47
9

What you are referring to is called a captive portal.

In order for such a portal to get displayed in your web browser, the following things need to happen:

  1. The WiFi router waits until your computer makes a non-encrypted (http://) request to a public website.
  2. It intercepts that request
  3. It responds by impersonating the website you wanted to reach and send you a redirect to the portal

This is something which looks extremely evil for any security software on your computer. You are doing an unencrypted http request to a public website via an untrusted network and become the victim of a man-in-the-middle attack. Yes, you are aware of this, and you are just doing this just so you can see the captive portal. But captive portals are not standardized, so your computer can not tell the difference.

If the IT department would allow this process, they would also allow you to browse the internet over a completely insecure connection.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 2
    Would there be any security risks if software explicitly allowed accesses to a particular site like (perhaps literally) `www.example.com` to be "hijacked" via captive portal? Captive portals should have no trouble hijacking that site like any other, but it would be unlikely that a captive portal masquerading as `www.example.com` would be able to trick anyone into doing anything they're not wanting to. – supercat Aug 28 '18 at 18:53
  • @supercat After you're redirected to the captive portal, then what? You're still on an insecure connection until you explicitly switch back to your secure mode, which you may forget to do. – Brilliand Aug 29 '18 at 22:37
  • 3
    @supercat there is nothing enforcing that the captive portal is actually a captive portal and not something that will download a virus. It might look like a page for entering a password or username, but it might not actually do anything aside from allowing you to continue browsing. With a standardized website that is even worse as now hackers can just mimick that website on a network that doesn't have captive portals and every user would fall for it and have no reason to believe otherwise. Captive portals that have different named URLs depending on the network actually aids in the security. – user64742 Aug 29 '18 at 23:16
  • 1
    @TheGreatDuck: If a browser would allow a visited page to execute code of its choosing with sufficient privilege to install a virus, that's a problem even if everything is done through a VPN. Likewise almost any publicly-addressable http-based web site visited through a VPN could be hijacked by anyone at any node between the web host and the VPN bridge, no matter what the VPN does. The particular use case of using a browser to access www.example.com and whatever that redirects to would seem like it should be safe in the absence of security flaws within the browser itself. – supercat Aug 31 '18 at 18:48
  • 1
    Perhaps the right approach would not be to pick a domain, but instead require that a browser used for such purposes be run within a particular VM, and instruct users that nothing requiring security should be run within that VM, but even there, picking a domain which one *expects* to be hijacked by a captive portal would help to recognize the difference between captive-portal hijacking and other forms. – supercat Aug 31 '18 at 18:49
3

Generally, these Wi-Fi hotspots authenticate via a MAC address. That is to say, after you sign in via their captive portal, they remember your system's Wi-Fi MAC address. Traffic from that MAC address will be permitted on their Wi-Fi hotspot for X minutes/hours, depending on their policy.

They also store it long enough that you can walk away, come back, get a new IP address and be recognized on MAC address alone. Some are vast. Once you hit "TOS Accept" on Target's guest Wi-Fi, it remembers your MAC address for years and nationwide to boot.

So, the question is: How we can come up on Wi-Fi with a machine with that MAC address, browse http://neverssl.com (or any non-HTTPS site), be redirected to the captive portal, satisfy the captive portal's requirements, and get our MAC address "remembered" as a good thing.

My thought is to use another device that allows you to alter its MAC address arbitrarily. Disable your company laptop's Wi-Fi and set its MAC address on your other device. Use it to walk through the captive portal's screens. Disable its Wi-Fi and enable your company laptop's Wi-Fi.

Another alternative would be to reboot your laptop off a thumb drive, into a non-locked-down OS, presuming your company is OK with that.

2

Okay, so let's address a few points in your question.

Organisations often use LDAP and other methodologies for authentication without password and is yet more secure.

An infrastructure VPN only permits a particular IP-range, which is allowed by firewall settings and iptables to communicate to your intranet/internal network. Now, you actually get the credentials or, are only permitted to access this intranet using a particular IP subnet/range often by only using the company's network via the infrastructure VPN like Cisco SSL VPN or Sophos infrastructure VPN.

Hope this clears out some doubts you had!

P.S. - Usage of secure VPN that uses IPSec protocol which is safely implemented like that of Cisco SSL VPN for infrastructures is far more secure than traditional ones and offers a deep layer of security from the context of an external attacker who virtually can't access the network without having access to the infrastructure VPN.

A Khan
  • 67
  • 5
0

I can't say whether your organization's sysadmins will go for it, but you could suggest to them that they make a specific exception in their VPN configuration to allow direct, unencrypted connections to the website http://neverssl.com/. The entire purpose of this site is to be hijacked by captive portals. Nobody will ever need to visit via the corporate VPN, because it's useless except when you need to allow a captive portal to hijack an unencrypted HTTP connection and present its login page, and it doesn't accept any information, so nobody could exfiltrate corporate data that way. The remaining risk is that the captive portal itself might be malicious, and that's a real risk, so they might not go for it. But it's worth a try.

zwol
  • 647
  • 1
  • 4
  • 12
  • 1
    In the OP's case, the organization's sysadmins would *also* have to allow direct connections to arbitrary websites (specifically, to whatever website the captive portal wants to use for login). That's what they aren't willing to do. – Brilliand Sep 01 '18 at 23:48
0

How is no password more secure than username+password?

It is if you use a shared key. Here's the way it works, simply explained.

You have a secure key on your computer. The one that you're trying to log in to has a key that matches it. This allows a simple, quick, and secure passwordless login.

This link is mostly about remotely logging into a remote server via ssh, without entering a username and password. I do that all the time when I need to ssh into my leased bare-metal server in another state. Surely, it's possible to do that in your case.

Mike Waters
  • 131
  • 8