Security

Reply
Highlighted
Occasional Contributor II
Posts: 12
Registered: ‎09-02-2009

Encrypting Guest traffic

Is there a way to set encryption on traffic from a guest user after he/she authenticates via the captive portal? My corp grows increasingly worried about guest users being victimized while connected with no encryption(and us being held liable). I'm new to this Aruba stuff so pardon my ignorance if this is well covered territory.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Encrypting Guest traffic

There is no way short of switching them to a new virtual AP. Most of your guests will probably launch a VPN of some sort once the connect. You may want to add something to your terms of service to remind users that there is no security on the guest network and that they should take measures to protect themselves.

The biggest issue with encrypting guests is helping users configure their laptop. You could use WPA2-PSK followed by captive portal, but you should have some instructions to help people understand how to configure the PSK, and understand that it is a PSK so users could still be at risk if an attacker has the key and can capture the initial messages.

Hope that helps,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Encrypting Guest traffic

I agree with Andy, you should really ensure that it's explained to your guests that their traffic is in the clear and it's their responsibility to protect their own data.

I'm not a lawyer, but just about every hotspot out there (hotels, Mcdonalds, Burger King, Panera Bread, Atlanta Bread, etc.) uses no encryption and they don't seem concerned about being held liable, and I'm sure their lawyers hashed that out a long time ago.

We considered using WPA-PSK, but the overhead would be massive for us. We have guests that can't even figure out how to connect to an open SSID. FYI, even though we didn't go a PSK route anyway, we didn't consider WPA2 because not all clients support it. Slowly but surely the ones that don't will fade away, but you'll end up with a guest that has an old client and can't do it.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Encrypting Guest traffic

Agree with you Mike, the problem is TKIP wasn't made to last, and it's starting to show some cracks. When we ran WPA2-PSK followed by CP at black hat in 2008 (their choice BTW) I don't think we ran into anyone that couldn't do it, and there were some old machines. So old I was helping folks FTP drivers off HP's site.

If I were running a site where this was a concern I would probably go ahead and run mixed mode on that SSID, but really it's getting harder to find a client that doesn't support it especially since XP SP3.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Encrypting Guest traffic

Understood Andy, all valid points. I think to completely cover yourself though, it's got to stay open, no WPA or WPA2. We don't provide any support for our guests, so if we went down the road of WPA2, we'll undoubtedly exclude people, then we'll run into our local staff allowing them to "sneak" onto our wired network. Although we do provide wired guest access as well, so I dunno, perhaps there will be a day where we have a PSK and CP guest wireless network.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Encrypting Guest traffic

Agree Mike, it's probably easiest to leave it open and use CP to authenticate. That way you eliminate the technical hurdles to getting folks on, and if there is an issue with data sniffing you've warned them with your TOS that they should protect themselves.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 12
Registered: ‎09-02-2009

Re: Encrypting Guest traffic

Thanks for your responses. We've hashed through the PSK option and discarded the idea, as mike.j.gallagher mentioned its too much work to maintain. My best bet may be to spend my energy convincing legal to sign off on this rather than finding a workaround that suits everyone.
Contributor I
Posts: 26
Registered: ‎04-13-2009

Re: Encrypting Guest traffic

I think another option is to use dot1x with EAP termination on the controller instead of captive portal and then use the internal db for dot1x authentication Once all is done you can authenticate user against it even the account is created by guest provisionor
Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Encrypting Guest traffic

Hi Wajih Good to see you on the new site ;) The challenge with 802.1x is two fold: a) Education of the end-users as to how to configure their end device of choice needs to take place. and

 

 b) Actual configuration needs to be accurate...

 

Not insummountable but not trivial either in most cases.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Encrypting Guest traffic

If you are running Clearpass in 6.4 you can now setup encrypted guest.

 

Essentially its a PEAP Auth with a shared account but it give each user their own over the air encrypted.

 

Screen Shot 2014-09-04 at 10.45.27 PM.png

 

Screen Shot 2014-09-04 at 10.45.17 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: