topic Re: OWE network traffic security in Wireless

OWE network traffic security

fraynchize — Tue, 07 May 2024 17:18:17 GMT

Hey All,

I want to get away from the one password to rule the wifi and instead use the AD Login splash page. If i set my network up with OWE and have the captive portal strenght set to block all access until sign-on is complete is my network secure? Or because its still an "open" network im vulnerable to being attacked by anyone.

Thanks,

Tyler

Re: OWE network traffic security

MariaP8 — Tue, 07 May 2024 21:53:24 GMT

Hi Tyler,

1. OWE is part of WPA3 authentication which requires client devices to use data encryption upon associating to the AP.

2. After association the client will be redirected to the AD Logon Splash Page where they will have to enter a username and password to authenticate to the AD server.

3. The client will enter their username and password. The AP will receive that information and then send that off to your server.

4. Your server will accept or deny the credentials. If denied the server will indicate that to the AP and the AP will deny you access to the network. If your credentials are accepted your server will send a message to the AP telling it to allow you into the network.

5. If you have your captive portal strength set to "block all access until sign-on is complete" then until users complete their sign-on they will not be allowed to access anything in the network (save for what is in your walled garden).

Additional Resources:

802.11 Process Explained - Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is complete.

In our documentation we state the following, "To associate to a wireless network, a client must have the correct encryption keys (association requirements). Once associated the wireless client may need to enter information (network sign-on method) before accessing resources on the wireless network."

More on OWE from our documentation.

Hopefully this answers your question 🙂

Re: OWE network traffic security

Karsten Iwen — Wed, 08 May 2024 00:36:35 GMT

OWE gives you wireless encryption without authentication, and the Splash page gives you authentication without wireless encryption. Combining both leaves you individually vulnerable to attacks on the other. An attacker on the wireless side can still make himself a MitM to interact with the wireless data in cleartext form.

If it is for internal users (as you are talking about AD login), implementing 802.1X is the only secure way to combine both.

Re: OWE network traffic security

xveral — Sun, 09 Mar 2025 09:17:01 GMT

So, that means that for non already wireless user; the splash screen login is encrypted via the previous OWE negotiation/encryption, am I right?

But someone already auth in the wifi network could in theory sniff network traffic and get the splash screen credentials?

thanks

Re: OWE network traffic security

Karsten Iwen — Sun, 09 Mar 2025 09:49:30 GMT

No, with OWE, each user has unique keys, and one user can not decrypt the traffic of another.

The only possible attack is that the attacker gets active into the connection (MitM). Then the traffic can bee seen natively. But the credentials are still protected if the splash page is delivered over HTTPS.

Re: OWE network traffic security

xveral — Sun, 09 Mar 2025 10:35:35 GMT

Thanks for the clarification!