Security

Reply
Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

HTTPS captive portal

The https captive portal screen.
Are the user name and passwords encrypted so that they are not still clear text?

I know typical captive portal usage has Open wireless networks.

So why https page for authentication?
Are username/passwords able to be sniffed?

Also, if this was Captive Portal is tied to RADIUS or LDAP account, does that mean that domain user accounts are now open over the open wireless network?

I have configured many wireless accounts, most with a default guest username/password.
Now I have a customer who would like to authenticate users this way also for limited access with home laptops, etc. But I am trying to understand possible securtity concerns.

Any aruba documentation references would be greatly appreciated.

thanks
Aruba
Posts: 760
Registered: ‎05-31-2007

HTTPS captive portal

The username/passwords are encrypted through the https/standard ssl session. That is the reason that https is the default of the Aruba captive portal: to encrypt the sensitive username/password data. No different really than authenticating to a banking website or yahoo mail as examples that both use https.

The user data -after- the login is not encrypted by the captive portal authentication mechanism, so in that way it's exactly like Yahoo mail (secure login, open/non-encrypted user data) sessions.

Hope that helps...
Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: HTTPS captive portal

Yes, thanks,

I understand user data is not encrypted, and that is to be expected. I just wanted to make sure any user account passwords were not being sent in the clear.

thanks again.

peter
Aruba
Posts: 760
Registered: ‎05-31-2007

HTTPS captive portal

Correct. You could always verify that with a quick wireshark if you would like as well.
Occasional Contributor II
Posts: 11
Registered: ‎09-12-2011

Re: HTTPS captive portal

Make sure you put a valid cert on the controller. If I understand SSL correctly, if a client gets a message in their browser that the cert is untrusted and chooses to go to the site anyway, then the traffic is unencrypted.
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

Re: HTTPS captive portal

Still encryoted, but you don't know who you are connecting to.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: