|
Again, they (the intended captive portal users) are not "my users" and the computers not under my control. Also, the captive portal network is entirely separate from my "normal user LAN". That said, my users (potential unintended captive portal users) are what I am most concerned about as well as public trash trying to leech free internet and potential malfeasance. While I do control the domain member computers, I have also caught users bringing in from home their personal laptops. A couple of them have eluded me, disappearing before I can complete a switch traceroute. Catching a wireless leech would be that much tougher.
Presently, I have only two APs serving two buildings and I've located them so that the structure and terrain limit their range but as I build this out with more APs and more coverage, it will have a larger attack surface. I also plan to deploy another larger coverage area but that I intend to use WPA on and it will not be part of the hotspot.
Yes, I could setup a DHCP reservation for each user PC I authorize and have corresponding firewall rules. That way simple possesion of username/password would stop some of them. Still, it is not the same security as a three way match as may be had with some two factor authentication methods. I realize that I am changing the scope of requirements now since my first request was more "security by ignorance" than real two factor authentication.
I can also do static ARP in m0n0 to further encumber IP stealers but that too can be overcome by MAC spoofing. Oh, what a tangled web we weave, trying to implement security. As you see, it is starting to get overly complicated and labour intensive to grant a guest access for a day or a week.
I'm wondering if setting up a RADIUS server wouldn't make more sense and whether it would give me real two factor authentication.
I'm open to suggestions.
| 
