CONTACT:+39 06 710 72015 | contact@wifigem.com

The road to an open WiFi

  • O ne of the advantages of a Captive Portal is to get rid of the password on the WiFi access point. Let's see what it means and what its consequences are in terms of security.
    First, let's assume that you do not want to open your network to indiscriminate access, but you want to create a Guest WiFi network to offer an Internet connection with some control over it. So, you need a Captive portal. If you are not convinced of this, read the article What is a Captive portal? before proceeding.

    Here's what happens when you open your WiFi network without a Captive Portal. Every access point, by default, broadcasts its alphanumeric identification code, the SSID, on the air. This is the name of the WiFi network that you see on your mobile device when you scan the available networks. Usually, the connection is password protected, which means that anyone who tries to connect to that network is required to enter a password, without which the device is not accepted. When a WiFi network is password protected, a padlock icon is visible next to the WiFi symbol on the mobile devices, in the list of available networks. An important thing to know is that the protection is provided by the access point, where the password is stored. This device is the only one to act as a filter between authorized and non-authorized users. The protection of your local network is left to this small device, therefore anyone knowing the WiFi password has full access to the Internet and, possibly, to the rest of the LAN. But we'll come back on this later.
    So, if you want to open the WiFi network to everyone, you should simply login to your access point through the Web interface, open the Security Configuration page and delete the password. From now on, the WiFi network is open and accessible to everyone without a password, which means that no access control is performed anymore, and anyone can get full access to the Internet.

    It is not uncommon to come across situations where the WiFi network is open and the access point is not password protected, so those who connect to the WiFi network can also browse the access point's configuration pages, with potentially bad consequences in terms of security.

    So, we should assume that a sort of protection must be in place. The access point is clearly the weakest link in the chain because even if the password hasn't been violated, other disadvantages discourage this solution for a Guest WiFi network. And the disadvantages are more than a few:
    - The password is stored on the access point, an architecturally weak and in many cases unattended element. Warning: more often than you think, the default password, which is usually written on the bottom of the access point, hasn't been changed at all. Moreover, almost always, routers with LAN ports and WiFi capability are used as access points, so, anyone could connect to one of those unused LAN ports
    - The password is the same for all users: it is not possible to create different user profiles
    - The password doesn't change frequently, and a "secret" password soon becomes public domain
    - In case of more than one access point, password management becomes hard to do
    - Anyone who gets past the access point has full access to the Internet and the LAN
    - The other devices on the LAN are visible: There is no bridge to guarantee the isolation of devices that connect to the WiFi network from those dedicated to business
    - No control over connection time and network band usage; there is the real chance of saturating the bandwidth, with performance issues on the entire LAN


    Internet
    |
    |
    ----------------------
    | ADSL Modem/Router |
    | Access Point |
    |(password-protected)|
    ----------------------
    | ) ) ) Guest
    | WiFi
    Business LAN
    exposed to
    unwanted access


    In the end, it seems clear that for the creation of a Guest WiFi network, a small access point is not the most appropriate solution. Or better, to be inappropriate is the access point as the only access control element. Therefore, the solution is to lift this device from the role of an access controller, but keep using it as a WiFi connection interface. So, no more passwords stored and no more access control. All those who wish to connect to the WiFi can do so, but before being able to surf the Internet, they must be authorized by a more robust, better manageable and upgradable system, not exposed to hacker attacks, with the task of choosing who can and who cannot connect. This system prompts the user to provide their credentials, verifies their validity, and then grants access based on a profile that defines some connection parameters, such as the maximum connection time, the maximum download size etc., and eventually forces the disconnection when one of these limits is exceeded. This is the Captive Portal.

    Now, having moved the access control to another device, the Captive Portal allows to safely remove the password from the access point. And there you go, what you have now is an open Guest WiFi network with a high level of security and manageability thanks to the Captive Portal. Moreover, the bridge located on the server or on the dedicated access point provides the necessary isolation of the corporate LAN from the guest devices, whose traffic is redirected to the Internet through a tunnel without any connection with the LAN.


    Internet
    |
    |
    -----------------------
    | ADSL Modem/Router |
    | 192.168.1.1 |
    -----------------------
    | | |
    | | |
    | ----------- ---------------
    | | WifiGem | | WifiGem |
    | | Server | | Access Point|
    | ----------- ---------------
    | | ) ) ) Guest
    | | WiFi
    Protected Guest LAN
    Business LAN


    Published on January 17, 2019

    No part of this document may be reproduced without prior written permission of WifiGem.