03-03-2021 12:59 AM
Currently we have situation where captive portal can be bypassed if the client uses VPN connection like Psiphon.
Also understand that network access is not given until the user has authenticated thru captive portal. However some user are still detected possible to access thru internet use VPN software like Psiphon.
Is there possibility application denial policy on ZD1200 able to block this kind of VPN access ?
03-03-2021 01:49 AM
If ZD1200 is configured properly, you should not have such problem. Check your Walled Garden settings.
But anyway, Caprive portal is not secure authentication method. As WISPR is basically authorizing client MAC, it is always possible to circumvent it by cloning already authorized MAC from network, which requires some technical knowledge, but isn't complex in fact. Without getting connection to network no VPN can work, so client connection is established before VPN is run.
You need to find out what exactly is done, reproduce and than you can look on way to disable it.
Simple and safe way would be to use Dynamic-PSK codes instead of Captive portal codes. You can set expiration dates to them, and all communication will be encrypted.
Without knowing code you have no chance to connect to network, so this will fix all issues, and it will work better than WISPR (which is old protocol not targeting security, but created as a tool to charge users for access).
03-03-2021 02:53 AM
I am not sure how Psiphon work but from the vulnerability report it shows captive portal can be bypassed if client using VPN connection thru UDP port 53.
03-03-2021 03:48 AM
Dear Vincent,
Psiphon is great !! this one circumvents the firewall and tries to establish connections to their own servers. Its one of the best tool I have ever seen.
Let me tell you about the solutions, ZD already has a solution for it, when it was brought to our notice. Our Devs team found that when a client connects to WiFi using Psiphon; its DNS requests would be redirected to their DNS servers, if you drop those requests then client would not be able to use internet when using Psiphon. There are couple of commands that you need to run on the ZD's cli to drop those DNS requests redirected to Psiphon servers and allow only requests destined to your trusted DNS server. I don't have a ZD to test and verify these commands.
Please run below commands and see.
ruckus(config)# portal-auth-force-dns-server 192.168.40.10
The command was executed successfully.
ruckus(config)#
This could also be done by adding a rule on your Firewall too, add a rule to redirect all the DNS requests to your trusted DNS server and drop others. If you do this Psiphon can never be used on your network.
Hope it helps.
Regards.
Abilash PR.
U
03-03-2021 07:04 AM
Hi Abilash,
Thank you for the input.
Do you mean that Psiphon dns server is 192.168.40.10 ?