Security

Reply
Highlighted
Occasional Contributor I

Security layers in ClearPass Captive Portal

Hello,

we just completed a new deployment for a customer, involving Airwave + Controllers + ClearPass.

For the guests, we created a classic Captive Portal page on ClearPass + MAC Caching.

Now the customer is concerned about his security... He is afraid that with MAC Caching, someone could just "sniff" one of the mac addresses already cached on clearpass and thus bypass the user+pw authentication on the captive portal (he will use this method even for employees and therefore not only internet navigation but also corporate navigation).

So my question is, what are the layers of security involved here?

Is really the mac address submission between device and clearpass in clear? Is it encrypted?

And what are in general the security layers/methods using captive portal on ClearPass?

 

Thank you very much for whoever will answer my post


Accepted Solutions
Highlighted
Guru Elite

Re: Security layers in ClearPass Captive Portal

A user can sniff mac addresses and attempt to connect as a user on an open network like that of a Captive Portal, so you don't want to use that for employee traffic.  There are mac spoofing and ip spoofing protections that you can put in place, but you simply don't want your employees on a network that does not have encryption, because all of their traffic will be sent in cleartext.

 

Wireless that is not encrypted should not be used for employee communications, period.  Employees should use encrypted wireless to communicate.

 

Guest networks or captive portal networks should only be on a VLAN that is not routable to an internal network and is protected by Aruba Firewall policies to keep that traffic segregated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Guru Elite

Re: Security layers in ClearPass Captive Portal

A user can sniff mac addresses and attempt to connect as a user on an open network like that of a Captive Portal, so you don't want to use that for employee traffic.  There are mac spoofing and ip spoofing protections that you can put in place, but you simply don't want your employees on a network that does not have encryption, because all of their traffic will be sent in cleartext.

 

Wireless that is not encrypted should not be used for employee communications, period.  Employees should use encrypted wireless to communicate.

 

Guest networks or captive portal networks should only be on a VLAN that is not routable to an internal network and is protected by Aruba Firewall policies to keep that traffic segregated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: