Security

Is there a way to set encryption on traffic from a guest user after he/she authenticates via the captive portal? My corp grows increasingly worried about guest users being victimized while connected with no encryption(and us being held liable). I'm new to this Aruba stuff so pardon my ignorance if this is well covered territory.

There is no way short of switching them to a new virtual AP. Most of your guests will probably launch a VPN of some sort once the connect. You may want to add something to your terms of service to remind users that there is no security on the guest network and that they should take measures to protect themselves.

The biggest issue with encrypting guests is helping users configure their laptop. You could use WPA2-PSK followed by captive portal, but you should have some instructions to help people understand how to configure the PSK, and understand that it is a PSK so users could still be at risk if an attacker has the key and can capture the initial messages.

Hope that helps,
-awl

I agree with Andy, you should really ensure that it's explained to your guests that their traffic is in the clear and it's their responsibility to protect their own data.

I'm not a lawyer, but just about every hotspot out there (hotels, Mcdonalds, Burger King, Panera Bread, Atlanta Bread, etc.) uses no encryption and they don't seem concerned about being held liable, and I'm sure their lawyers hashed that out a long time ago.

We considered using WPA-PSK, but the overhead would be massive for us. We have guests that can't even figure out how to connect to an open SSID. FYI, even though we didn't go a PSK route anyway, we didn't consider WPA2 because not all clients support it. Slowly but surely the ones that don't will fade away, but you'll end up with a guest that has an old client and can't do it.

Agree with you Mike, the problem is TKIP wasn't made to last, and it's starting to show some cracks. When we ran WPA2-PSK followed by CP at black hat in 2008 (their choice BTW) I don't think we ran into anyone that couldn't do it, and there were some old machines. So old I was helping folks FTP drivers off HP's site.

If I were running a site where this was a concern I would probably go ahead and run mixed mode on that SSID, but really it's getting harder to find a client that doesn't support it especially since XP SP3.

-awl

Understood Andy, all valid points. I think to completely cover yourself though, it's got to stay open, no WPA or WPA2. We don't provide any support for our guests, so if we went down the road of WPA2, we'll undoubtedly exclude people, then we'll run into our local staff allowing them to "sneak" onto our wired network. Although we do provide wired guest access as well, so I dunno, perhaps there will be a day where we have a PSK and CP guest wireless network.

Agree Mike, it's probably easiest to leave it open and use CP to authenticate. That way you eliminate the technical hurdles to getting folks on, and if there is an issue with data sniffing you've warned them with your TOS that they should protect themselves.

-awl

Thanks for your responses. We've hashed through the PSK option and discarded the idea, as mike.j.gallagher mentioned its too much work to maintain. My best bet may be to spend my energy convincing legal to sign off on this rather than finding a workaround that suits everyone.

I think another option is to use dot1x with EAP termination on the controller instead of captive portal and then use the internal db for dot1x authentication Once all is done you can authenticate user against it even the account is created by guest provisionor

Hi Wajih Good to see you on the new site ;) The challenge with 802.1x is two fold: a) Education of the end-users as to how to configure their end device of choice needs to take place. and

 

 b) Actual configuration needs to be accurate...

 

Not insummountable but not trivial either in most cases.

If you are running Clearpass in 6.4 you can now setup encrypted guest.

 

Essentially its a PEAP Auth with a shared account but it give each user their own over the air encrypted.

 

 

Hi Tarnold,

 

but I will still need to create a SSID Profile on my e.g. Windows Computer. You cannot connect to the SSID without having the user doing something.

 

I think this wil not be a 'easy' solution for the typical dumb guest user  

Most devices now support simple connection to a secure ssid. No matter what way you choose PEAP, WPA, WEP the users will still need to add a profile.

Like you say for most users it might still be too complicated so most customers deploy an open ssid with captive portal.

It all comes down to do you want the data secured over the air and most WEP and WPA can be broken pretty quick. With using PEAP it gives each user it's own unique encryption when the connect.

Could you use onboarding with clearpass?

Onboarding visitors is not a good idea. It would mean making them go through the process of Onboarding for internet access which is an overkill. Best solution is to use PEAP-Public. 

 

Also, check this out https://blogs.arubanetworks.com/industries/wpa3-the-next-generation-in-secure-mobility/

 

Note, we do not have many clients that support WPA-3 yet.