On May 4, 2005, at 9:50 AM, Chris Buechler wrote:
> On 5/4/05, Nans Delrieu <delrieu dot nans at laposte dot net> wrote:
>> Lots of captive portal use mac adress after authentification. Afeter
>> auth, captive portal looks for mac adresses and let surf if the ùmac
>> adress is good.
>> For exemple, if someone (called A) want to connect to the local
>> he gives his login and password.
>> Then, the captive portal authorize this person if the login and the
>> pasword is good. But after authentification , if a malintentioned
>> B take the MAC adress of the personn A, the captive portal let person
>> surf on the web ??? it's a big problem ? how to resove that ??
> Ah yes, m0n0wall's captive portal does rely on MAC addresses. There
> is no way to prevent spoofing a MAC to gain access to another person's
> authenticated session after they are done using it. Instructing your
> users to use the log out functionality will prevent this (I know
> that's easier said than done though). Using the idle timeout and hard
> timeout will also help prevent this, and minimize the window for
neither of these prevent the active hijacking of an 'authenticated'
captive portal session while
it is in-use.
even if you did somehow manage to secure against this, people would
tunnel over DNS.
802.1x/EAP, WPA or WPA2 are a far superior solution.