Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Sep 2007 10:10:44 +0300
From:      Cristian KLEIN <cristi@net.utcluj.ro>
To:        freebsd-net@freebsd.org
Subject:   Re: Large-scale 1-1 NAT
Message-ID:  <46F8B474.5050609@net.utcluj.ro>
In-Reply-To: <20070925000602.GT19429@hal.rescomp.berkeley.edu>
References:  <20070924072517.GL19429@hal.rescomp.berkeley.edu>	<46F77C27.9050400@net.utcluj.ro>	<20070924203516.GQ19429@hal.rescomp.berkeley.edu>	<46F82FCF.2090203@net.utcluj.ro> <20070925000602.GT19429@hal.rescomp.berkeley.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
>> There is another thing I wanted to point out. I remember you used the 
>> words "authentication web page". This made me think you are 
>> establishing a captive portal, which is not secure at all. If I 
>> understand well the authpf solution would be secure, except perhaps 
>> a small delay. You might proxy your clients to a "click here and 
>> download this preconfigured PuTTY" page.
> 
> We are planning on using a captive portal. The only authentication
> mechanism we have for clients is a web-based SSO solution using CAS that
> isn't maintained by our staff. The people trying to authenticate are not
> intended to be local users on the system. What are the security problems
> you see with a captive portal interface?

I haven't used CAS, but if I understand well from their wiki, CAS by itself
isn't meant to keep the session alive. This means that the following scenario
could occur:
1) User associates with your AP.
2) User logs in.
3) EvilUser associates with your AP.
4) EvilUser run tcpdump, records IP and MAC of User.
5) EvilUser sends DDoS against User.
6) Having a Windows :P, User is forced to restart his computer.
7) EvilUser sets his MAC and IP to the recorded ones.

Some captive portals do keep the session alive, by regularly refreshing the
page, using JavaScript or a Java applet. However, this means that the user will
have to keep his browser window open. IMHO, this is worse than keeping PuTTY
open while connecting to the Internet.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F8B474.5050609>