It depends a bit on the exact question that is asked, but I would not advise using open networks for anything. For some cases, like in anonymous guest networks, there is no real alternative. WPA3 OWE is promising for that use by adding encryption.
For authenticated networks, I would go for WPA2-Enterprise wherever possible. If you like the learn more about security principles, and I would expect this captive portal and different types of wireless encryption to be part of it, there is a nice
webinar series about Security Essentials coming up next week.
If you like, please share the case number in a private message, or ask the TAC Engineer to reach out to me. More than happy to see the context of this.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Jan 21, 2021 08:49 AM
From: Nathan Kuhl
Subject: macOS Big Sur - Unsecured Network
Thanks everyone for the responses. It's strange that Aruba support just responded with the following:
"From the case description I understand that after updating the mac devices to Big Sur, you are receiving an unsecured network alert.
As long as the captive portal certificate is valid and not expired, the connecting shouldn't be insecure. It could be an issue from the Apple end."
--
Nathan Kuhl
Information Technology
Wyoming Seminary
570-270-2241
Original Message:
Sent: 1/21/2021 7:56:00 AM
From: Herman Robers
Subject: RE: macOS Big Sur - Unsecured Network
It's not only on an open SSID that you can sniff traffic, but you also can inject traffic and by spoofing the MAC address of an authorized client (which you can easily sniff) you can circumvent the captive portal and get to any resources that the authenticated user could get.
The funny is that your Guest network does have encryption.
If you can't move to EAP/WPA Enterprise, you probably should at least enable WPA2-PSK with an impossible-to-guess password on the SSID if it provides access to anything that has value.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 21, 2021 07:40 AM
From: Bruce Osborne
Subject: macOS Big Sur - Unsecured Network
The answer depends on your SSID settings. A open SSID with a captive portal login, even when using a RADUIS server is unencrypted and therefore unsecured. Traffic can be sniffed.
We are currently using EAP-PEAP MSCHAPv2 to RADIUS & AD and will move to the more secure certificate based EAP-TLS on our network.
------------------------------
Bruce Osborne
Original Message:
Sent: Jan 20, 2021 06:59 PM
From: Nathan Kuhl
Subject: macOS Big Sur - Unsecured Network
Our Macs that have updated to the latest version of macOS, Big Sur, report an Unsecured Network message when connected to the Aruba wireless network. We use a secured captive portal as a login to our production network. The computer is then registered using RADIUS in our NAC server. Is this connection truly insecure as macOS states?
------------------------------
Nathan Kuhl
------------------------------