Myth #3: Captive Portals are an effective way to prevent

When WPA or WPA2 can’t be used, many organizations turn to a captive portal to control network access. A captive portal is defined as a network security system that restricts access until a user verifies a credential through a web interface. The theory behind such systems is that web browsers are available on all manner of Wi-Fi devices, so creating a captive portal to authenticate the public would allow the largest number of authorized users to gain access to the Internet.

Hotels, universities, and airports are just some of the places that use captive portals. Those environments must handle such a wide variety of station devices that choosing one type of security is generally thought to be restrictive to the point that some of the target audience may be unable to enjoy wireless Internet access.

Using a captive portal does allow access to a wide variety of stations, but the security design is quite flawed. To understand the flaw in authenticating users via a captive portal, one must first understand what a captive portal is. Captive portals are a layer 2 security method. When users authenticate to a captive portal, their MAC address is placed in a list of authorized users. When the person logs off, their MAC address is removed from the list.

Once it is understood that a captive portal is nothing more than a dynamic MAC address filter, it becomes easy to understand why they are ineffective at restricting unauthorized users from a public Wi-Fi network. A number of free, simple software tools are available that allow people to modify the MAC address of their network interfaces. If an intruder has one of these tools and an 802.11 protocol analyzer, he could easily identify an authorized user’s MAC address and masquerade as that user to gain network access.

A secondary reason why captive portals are no longer considered a good way to restrict unauthorized users from a public network is that Wi-Fi client utilities have become largely standardized. Users of all operating systems now have client utilities available that support WPA and even WPA2 on a number of adapters. With these stronger security protocols now being nearly ubiquitous, it has become reasonable to require public access users to login with a WPA/WPA2 Personal passphrase rather than through a captive portal. A publicly distributed
passphrase may lack the security required for an enterprise network, but it is a far more secure solution for public networks than a captive portal.