Security

The https captive portal screen.
Are the user name and passwords encrypted so that they are not still clear text?

I know typical captive portal usage has Open wireless networks.

So why https page for authentication?
Are username/passwords able to be sniffed?

Also, if this was Captive Portal is tied to RADIUS or LDAP account, does that mean that domain user accounts are now open over the open wireless network?

I have configured many wireless accounts, most with a default guest username/password.
Now I have a customer who would like to authenticate users this way also for limited access with home laptops, etc. But I am trying to understand possible securtity concerns.

Any aruba documentation references would be greatly appreciated.

thanks

The username/passwords are encrypted through the https/standard ssl session. That is the reason that https is the default of the Aruba captive portal: to encrypt the sensitive username/password data. No different really than authenticating to a banking website or yahoo mail as examples that both use https.

The user data -after- the login is not encrypted by the captive portal authentication mechanism, so in that way it's exactly like Yahoo mail (secure login, open/non-encrypted user data) sessions.

Hope that helps...

Yes, thanks,

I understand user data is not encrypted, and that is to be expected. I just wanted to make sure any user account passwords were not being sent in the clear.

thanks again.

peter

Correct. You could always verify that with a quick wireshark if you would like as well.

Make sure you put a valid cert on the controller. If I understand SSL correctly, if a client gets a message in their browser that the cert is untrusted and chooses to go to the site anyway, then the traffic is unencrypted.

Still encryoted, but you don't know who you are connecting to.