[ previous ] [ next ] [ threads ]
 From:  Jim Thompson <jim at netgate dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Spoofing max adresses
 Date:  Wed, 4 May 2005 12:00:38 -1000
On May 4, 2005, at 9:50 AM, Chris Buechler wrote:

> On 5/4/05, Nans Delrieu <delrieu dot nans at laposte dot net> wrote:
>> Lots of captive portal use mac adress after authentification. Afeter
>> auth, captive portal looks for mac adresses and let surf if the ùmac
>> adress is good.
>> For exemple, if someone (called A) want to connect to the local 
>> network,
>> he gives his login and password.
>> Then, the captive portal authorize this person if the login and the
>> pasword is good. But after authentification , if a malintentioned 
>> person
>> B take the MAC adress of the personn A, the captive portal let person 
>> B
>> surf on the web ???  it's a big problem ? how to resove that ??
> Ah yes, m0n0wall's captive portal does rely on MAC addresses.  There
> is no way to prevent spoofing a MAC to gain access to another person's
> authenticated session after they are done using it.  Instructing your
> users to use the log out functionality will prevent this (I know
> that's easier said than done though).  Using the idle timeout and hard
> timeout will also help prevent this, and minimize the window for
> misuse.

neither of these prevent the active hijacking of an 'authenticated' 
captive portal session while
it is in-use.

even if you did somehow manage to secure against this, people would 
tunnel over DNS.

802.1x/EAP, WPA or WPA2 are a far superior solution.