The road to an open WiFi

  • O ne of the advantages of a Captive Portal is the elimination of the need for a password on the WiFi access point. Let's explore what this means and its security implications.

    First, consider that you don't want to open your network to indiscriminate access, but you want to create a Guest WiFi network with some control over the Internet connection. For this, you need a Captive Portal. If you're not convinced, read the article What is a Captive portal? before proceeding.

    Here's what happens when you open your WiFi network without a Captive Portal. Every access point broadcasts its alphanumeric identification code, the SSID, which is the name you see when you scan for available networks on your device. Typically, these networks are password-protected, requiring a password for connection. When a WiFi network is password protected, a padlock icon appears next to the WiFi symbol on devices. This protection is provided by the access point, which stores the password and, in most cases, is the only barrier against unauthorized users. Consequently, anyone with the WiFi password has full access to the Internet and potentially the rest of the LAN. We'll return to this point later.

    To open the WiFi network to everyone, you simply log into your access point through its web interface, navigate to the Security Configuration page, and remove the password. This makes the WiFi network open and accessible without a password, meaning no access control is performed, and anyone can access the Internet.

    It's not uncommon to find situations where the WiFi network is open and the access point is not password-protected. This means that anyone who connects to the WiFi network can also access the access point's configuration pages, posing significant security risks.

    Therefore, some form of protection is necessary. The access point is the weakest link in the chain because, even if the password hasn't been breached, other disadvantages make this solution unsuitable for a Guest WiFi network:

    - The password is stored on the access point, an often unattended and weak element. Warning: the default password, usually written on the bottom of the access point, is frequently not changed. Moreover, access points with LAN ports allow anyone to connect without a password.
    - The password is the same for all users, preventing the creation of different user profiles.
    - The password doesn't change frequently, so a "secret" password soon becomes widely known.
    - Managing passwords for multiple access points is cumbersome.
    - Anyone who bypasses the access point gains full access to the Internet and the LAN.
    - Other devices on the LAN are visible, with no isolation for devices connected to the WiFi network from those used for business.
    - There's no control over connection time and network bandwidth usage, risking bandwidth saturation and performance issues on the entire LAN.


    Internet
    |
    |
    ----------------------
    | ADSL Modem/Router |
    | Access Point |
    |(password-protected)|
    ----------------------
    | ) ) ) Guest
    | WiFi
    Business LAN
    exposed to
    unwanted access


    So, it's clear that a small access point is not the most suitable solution for creating a Guest WiFi network. Specifically, the access point alone as the access control element is inappropriate. The solution is to remove this device from the role of access controller and use it solely as a WiFi connection interface. Thus, no more passwords stored and no more access control at the access point level. Anyone can connect to the WiFi, but before accessing the Internet, they must be authorized by a more robust, manageable, and upgradable system that is not exposed to hacker attacks. This system prompts users to provide credentials, verifies them, and grants access based on a profile defining connection parameters, such as maximum connection time and download size, and disconnects users when limits are exceeded. This is the Captive Portal.

    By moving access control to another device, the Captive Portal allows you to safely remove the password from the access point. This results in an open Guest WiFi network with high security and manageability, thanks to the Captive Portal. Additionally, the bridge on the server or dedicated access point ensures the necessary isolation of the corporate LAN from guest devices, redirecting guest traffic to the Internet through a tunnel without any connection to the LAN.


    Internet
    |
    |
    -----------------------
    | ADSL Modem/Router |
    | 192.168.1.1 |
    -----------------------
    | |
    | |
    | -----------
    | | WifiGem |
    | | Server |
    | -----------
    | |
    | |
    Business LAN ---------------
    | Switch |
    ---------------
    | |
    | |
    Guest LAN ---------------
    | Access Point|
    ---------------
    ) ) ) Guest
    WiFi


    First published on January 17, 2019
    Updated on June 20, 2024

    No part of this document may be reproduced without prior written permission of WifiGem.
    Share on