last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Security layers in ClearPass Captive Portal

Jump to Best Answer
  • 1.  Security layers in ClearPass Captive Portal

    Posted Aug 18, 2020 05:04 AM


    we just completed a new deployment for a customer, involving Airwave + Controllers + ClearPass.

    For the guests, we created a classic Captive Portal page on ClearPass + MAC Caching.

    Now the customer is concerned about his security... He is afraid that with MAC Caching, someone could just "sniff" one of the mac addresses already cached on clearpass and thus bypass the user+pw authentication on the captive portal (he will use this method even for employees and therefore not only internet navigation but also corporate navigation).

    So my question is, what are the layers of security involved here?

    Is really the mac address submission between device and clearpass in clear? Is it encrypted?

    And what are in general the security layers/methods using captive portal on ClearPass?


    Thank you very much for whoever will answer my post

  • 2.  RE: Security layers in ClearPass Captive Portal
    Best Answer

    Posted Aug 18, 2020 06:06 AM

    Hi Telematic,


    A captive portal is a open network without any encryption at the 802.11 wireless layer (2). Captive portal before authentication is just a DNS Re-direction, after authentication there is no 802.11 encryption evolved. The applications itself is fully responsible for security by using end-to-end encryption at layer (7).


    Saying that, you will find out that the use of captive portal are not secure enough for production environments, just for guest access which only have to reach the internet, and must be separate from any production networks by the firewall offcourse.


    Yes mac-spoofing of a captive-portal is possible, as we known all client mac-addresses are always visible in the 802.11 management frames. There are less network drivers available that can change the mac-address and are allmost only linux boxes, windows can't change the mac-address. If a mac-addres is duplicated online this will cause connectivity issues, but yes it's possible with a box like Kali Linux, in practice it will be rare, maybe with the exception of the education or hotel sector.


    Mac-caching is a great feature that helps to increase the user experience of guest users to not shown up the portal each time they re-authenticated. But really secure its never!


    (Please note that Apple IOS14 start using mac randomization, what have a big impact on the way how we using mac-caching for wireless devices).


    If you have concern about security, don't use captive portals at all but use radius authentication. Radius authentication (WPA-Enterprise) have AES encryption at the 802.11 WiFi layer 2, so all data in air is encrypted, even when the application is not (till leaving the wireless network) ;;)).


    The most robust solutions could be the ClearPass Onboard feature (licenced). Where you use a captive portal to onboard wireless clients to provide the client with a certificatie (deployed over HTTPS security). After that the user needs to reconnect to the SSID with certificate bases security (EAP-TLS). The onboarding solution is most used for BYOD devices.


    For corporate devices deploy EAP-TLS through your active directory or MDM solution.


    For guests captive-portals are fine (with or without mac-caching) because they are allowed to use "internet-only". You can also combine captive-portal with a WPA2 key on top, but that is a less used solution.


    Hope this helps you!