Re: Large-scale 1-1 NAT

There is another thing I wanted to point out. I remember you used the
words "authentication web page". This made me think you are
establishing a captive portal, which is not secure at all. If I
understand well the authpf solution would be secure, except perhaps
a small delay. You might proxy your clients to a "click here and
download this preconfigured PuTTY" page.

We are planning on using a captive portal. The only authentication
mechanism we have for clients is a web-based SSO solution using CAS that
isn't maintained by our staff. The people trying to authenticate are not
intended to be local users on the system. What are the security problems
you see with a captive portal interface?

I haven't used CAS, but if I understand well from their wiki, CAS by itself
isn't meant to keep the session alive. This means that the following scenario
could occur:
1) User associates with your AP.
2) User logs in.
3) EvilUser associates with your AP.
4) EvilUser run tcpdump, records IP and MAC of User.
5) EvilUser sends DDoS against User.
6) Having a Windows :P, User is forced to restart his computer.
7) EvilUser sets his MAC and IP to the recorded ones.

Some captive portals do keep the session alive, by regularly refreshing the
page, using JavaScript or a Java applet. However, this means that the user will
have to keep his browser window open. IMHO, this is worse than keeping PuTTY
open while connecting to the Internet.


_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"