Iyfjky

Question

Context: I have a laptop supplied by my organisation. I am trying to connect to eduroam, but I cannot do it using my organisation's laptop. When I use a personal computer, it asks me for a username and password, just as a standard wifi network asks for password.

I found the text below in the internal IT policy. I need help understanding it. To me it's totally counterintuitive:

Using hotel, coffee shop and public WiFi hotspots

You may be able to connect your laptop to use the WiFi in hotels, coffee shops etc but this depends on how the WiFi is set up:

if itÃ¢Â€Â™s Ã¢Â€ÂœopenÃ¢Â€Â (that is, you donÃ¢Â€Â™t need any password to connect) then you should be OK

if itÃ¢Â€Â™s set up so that you need a password to connect to the WiFi (and this password is given to you by the establishment) then again, you should be OK

if however you can readily connect to the WiFi but you need to enter a username and/or password in your web browser software, then you will not be able to access the service.

The security standards to which our laptops are built, means that they cannot connect directly to a Ã¢Â€ÂœdirtyÃ¢Â€Â or insecure internet connection Ã¢Â€Â“ everything goes via the secure VPN connection into our IT network. So the user canÃ¢Â€Â™t get to the web page where theyÃ¢Â€Â™d need to type in a password, without first connecting to the VPN Ã¢Â€Â“ and they canÃ¢Â€Â™t connect to the VPN without first getting to the web page.

So basically, I can use my work's laptop in a coffee shop where the network is shared by anyone (for which so much has been written against, e.g. here). I can also use it in a network with password security only, for which there is even a WikiHow (!) guide on hacking. And yet, I cannot use it in a network that requires both username and password, which surely must be much more difficult to hack into.

What is this sense of security that underlies my organisation? Am I missing something?

I think that they might be trying to warn you against phishing attacks. Some networks require that you enter a username and password on their own login screen, such things can later be used for password reuse attacks and other malicious activity. I don't think they're talking about something like WPA2 Enterprise Credentials which I'd imagine is perfectly fine to use. — Aug 28 at 11:49
The following does not answer your question, but will solve your problem: You can connect to eduroam using "username@example.com" with your normal username (without any "backslash" domain specifiers, so not "EXAMPLEusername@example.com") and password, supplied directly as the WiFi username and password. — Aug 28 at 12:55
They didn't say it was or wasn't secure, they just said it wouldn't work... — Aug 29 at 3:38
I feel the title of the question is quite misleading. It's not "no password" vs "username + password", it's "captive portal" vs "open wifi" — Aug 30 at 15:24
@BgrWorker It is not misleading if you consider I did not know the concept of captive portal. If I had known that, this question would have not existed. — Aug 30 at 16:57

grawity 565314 · Accepted Answer · 2018-09-03 12:45:27Z

They have configured the laptops to spin up a VPN connection and only speak to "home base" after they go on the network. That means that if there is a local "captive portal" that requires you to enter credentials, you will not be able to use it, because that would require evading the VPN.

(It's a chicken and egg thing. No VPN, no ability to reach the portal - no portal, no ability to spin up the VPN!)

It is more secure because they are ensuring that, no matter what connection you have, any network traffic you send goes through your company's network, your company's controls, and is not subject to interception or manipulation by any other party.

It unfortunately breaks the case of Wireless with a "captive portal," but allowing for that case would lower their security by allowing your machine to talk to arbitrary machines directly rather than through the VPN.

The "eduroam" service that you mention in the comment explicitly states that they do not have a captive portal, but use WPA-Enterprise based on 802.1X:

Does eduroam use a web portal for authentication?

No. Web Portal, Captive Portal or Splash-Screen based authentication
mechanisms are not a secure way of accepting eduroam credentials....
eduroam requires the use of 802.1X...

802.1X is the kind of authentication you need to enter to configure your machine to connect to the network, so this case is one that your IT policy explicitly states that they allow:

if itÃ¢Â€Â™s set up so that you need a password to connect to the WiFi (and
this password is given to you by the establishment) then again, you
should be OK

In fact, eduroam appears to be very well aligned with your IT policy - they both distrust the "bad security" imposed by captive portals.

Based on the edit to the original question:

I am trying to connect to eduroam, but I cannot do it using my
organisation's laptop. When I use a personal computer, it asks me for
a username and password, just as a standard wifi network asks for
password.

That suggests to me that your organization's laptop is simply not prompting you to connect to new networks the same way that your personal computer is. This could be because of different operating systems or different policies applied to the two computers. You may simply want to ask your IT group for help configuring 802.1X for connection to the eduroam network; using that keyword will make it clear to them you're trying to do something they allow.

@luchonacho username vs username + password is not important. What they are trying to say is the network must give you untampered access as soon as you are able to connect to it. Eduroam username+password does this but many public wifis attempt to hijack your http requests to show you a login page. Not many wifi networks ask for a username and a password when connecting which is probably why they forgot to mention it as a safe method. — Aug 28 at 12:19
@NathanGoings in 802.1x with RADIUS, the supplicant (client) speaks to the authenticator (AP) using EAP, and the authenticator talks to the authentication server using RADIUS. So the client never needs to speak RADIUS; the EAP packets are part of the 802.11 WPA/WPA2 protocol. And as part of the 802.11 transport layer, they're pre-IP-network and not subject to the VPN. — Aug 28 at 15:37
Eduroam is notoriously complicated to set up (on the client), due to how different providers (= Universities) choose to accept credentials. In theory itÃ¢Â€Â™s supposed to be standardised and trivial to set up; in practice some Eduroam providers need to provide multi-page PDF manuals to their customers to guide them through the setup process for each operating system, and still users get confused (even power users). OPÃ¢Â€Â™s inability to connect may have nothing to do with the corporate laptop and more with the providerÃ¢Â€Â™s implementation of it. — Aug 28 at 16:32
@YLearn IÃ¢Â€Â™m not complaining, IÃ¢Â€Â™m explaining why OP is having difficulties despite using a network with a (somewhat) standardised configuration. — Aug 28 at 19:46
@Rsf that statement describes WPA/WPA2 integrated authentication. The most common case for that is password-only, but it's functionally equivalent to EAP username+password. Setup may differ, but it still operates during the WPAx handshake and won't be inhibited by a VPN requirement, unlike the captive portal method. So in short, when they say "password", the mean "WPA/WPA2 authentication, which is usually password, but could be username+password" as the OP is experiencing here. — Aug 29 at 12:01

score 15 · Answer 2 · 2018-08-28 12:16:49Z

When you first connect to some websites, they require that you give them an email address, or some other piece of data before you can use their service, this page is referred to as a captive portal.

Your company laptop is setup so that when it detects an internet connection, it connects back to your corporate VPN, and then connects back out from there. In most situations, (scenarios 1 and 2 in your question) you can connect to the wifi with a password, or open wifi, tunnel into your corporate VPN, and then connect back out - all of which is done using the service of the wifi you are connecting to.

However, in situation 3 - you may land on a captive portal web page, which requires that you enter some piece of data first in order to connect. However, your laptop is designed in such a way that you must connect to the corporate VPN first. Which means that you can't connect to the VPN because you haven't entered any credentials on a captive portal, and you can't enter the credentials because you haven't connected to the VPN yet.

Hopefully this answers your question a little better than my previous comment. Leave a comment here and i'll update this if you have further questions.

edit: Just to add the reason why a company might have this type of set up is because they can ensure that all traffic passes through their VPN, and allows them to enforce other policies, ie. Acceptable use, etc. Please see @gowenfawr answer for more info above as he has explained it extremely well.

Allen Howard 2414 · Answer 3 · 2018-08-28 18:15:35Z

There are already good answers as to the understanding of the policy, but I'm going to talk briefly about eduroam security and connection profiles to make sure that all bases are covered in terms of the answer. I've worked for two universities that offer eduroam and have spent a lot of time working with it.

Eduroam is a global network of universities and other educational institutions that peer together to allow members of one institution access to network resources at another partner institution.

Authentication to eduroam is done through the 802.1x protocol (With MS-CHAP v2 usually the phase 2 authentication, at least in my experience). This is where the AP/Controller use RADIUS to talk to the RADIUS server at the home institution. Assuming all is good, the client is allowed to connect.

Encryption of the wireless packets from the machine to the AP is done with WPA2 (enterprise, hence the 802.1x authentication) encryption.

One of the biggest issues I've seen with eduroam connection profiles is when the operating system submits the logged on user's credentials automatically (this is default in windows 7 and below... I think they changed this in Windows 8). I've also seen an issue where Windows will sometimes try to connect with the machine account, which is not usually authorized by the University (only user accounts are).

Once connected to eduroam, your company will tunnel out the data through their VPN provider. Depending on how the institution where you are trying to connect to has the eduroam network set up, this may or may not work (The one place I worked only allowed some VPNs out while on eduroam, not all).

Windows 8 and iOS automatically remember the institution's TLS certificate by fingerprint. Older Windows versions weren't completely insecure, but they required manual configuration of the certificate's hostname. Android 7+ requires the hostname to be input as well. — Sep 3 at 8:47

Philipp 43.3k7112137 · Answer 4 · 2018-08-28 12:54:18Z

up vote
9
down vote

What you are referring to is called a captive portal.

In order for such a portal to get displayed in your web browser, the following things need to happen:

The WiFi router waits until your computer makes a non-encrypted (http://) request to a public website.

It intercepts that request

It responds by impersonating the website you wanted to reach and send you a redirect to the portal

This is something which looks extremely evil for any security software on your computer. You are doing an unencrypted http request to a public website via an untrusted network and become the victim of a man-in-the-middle attack. Yes, you are aware of this, and you are just doing this just so you can see the captive portal. But captive portals are not standardized, so your computer can not tell the difference.

If the IT department would allow this process, they would also allow you to browse the internet over a completely insecure connection.

answered Aug 28 at 12:54

Philipp

43.3k7112137

2

Would there be any security risks if software explicitly allowed accesses to a particular site like (perhaps literally) www.example.com to be "hijacked" via captive portal? Captive portals should have no trouble hijacking that site like any other, but it would be unlikely that a captive portal masquerading as www.example.com would be able to trick anyone into doing anything they're not wanting to.
â€“Â supercat
Aug 28 at 18:53

@supercat After you're redirected to the captive portal, then what? You're still on an insecure connection until you explicitly switch back to your secure mode, which you may forget to do.
â€“Â Brilliand
Aug 29 at 22:37

3

@supercat there is nothing enforcing that the captive portal is actually a captive portal and not something that will download a virus. It might look like a page for entering a password or username, but it might not actually do anything aside from allowing you to continue browsing. With a standardized website that is even worse as now hackers can just mimick that website on a network that doesn't have captive portals and every user would fall for it and have no reason to believe otherwise. Captive portals that have different named URLs depending on the network actually aids in the security.
â€“Â The Great Duck
Aug 29 at 23:16

1

@TheGreatDuck: If a browser would allow a visited page to execute code of its choosing with sufficient privilege to install a virus, that's a problem even if everything is done through a VPN. Likewise almost any publicly-addressable http-based web site visited through a VPN could be hijacked by anyone at any node between the web host and the VPN bridge, no matter what the VPN does. The particular use case of using a browser to access www.example.com and whatever that redirects to would seem like it should be safe in the absence of security flaws within the browser itself.
â€“Â supercat
Aug 31 at 18:48

1

Perhaps the right approach would not be to pick a domain, but instead require that a browser used for such purposes be run within a particular VM, and instruct users that nothing requiring security should be run within that VM, but even there, picking a domain which one expects to be hijacked by a captive portal would help to recognize the difference between captive-portal hijacking and other forms.
â€“Â supercat
Aug 31 at 18:49

add a commentÂ |Â

score 3 · Answer 5 · 2018-08-31 20:11:38Z

Generally, these Wi-Fi hotspots authenticate via a MAC address. That is to say, after you sign in via their captive portal, they remember your system's Wi-Fi MAC address. Traffic from that MAC address will be permitted on their Wi-Fi hotspot for X minutes/hours, depending on their policy.

They also store it long enough that you can walk away, come back, get a new IP address and be recognized on MAC address alone. Some are vast. Once you hit "TOS Accept" on Target's guest Wi-Fi, it remembers your MAC address for years and nationwide to boot.

So, the question is: How we can come up on Wi-Fi with a machine with that MAC address, browse http://neverssl.com (or any non-HTTPS site), be redirected to the captive portal, satisfy the captive portal's requirements, and get our MAC address "remembered" as a good thing.

My thought is to use another device that allows you to alter its MAC address arbitrarily. Disable your company laptop's Wi-Fi and set its MAC address on your other device. Use it to walk through the captive portal's screens. Disable its Wi-Fi and enable your company laptop's Wi-Fi.

Another alternative would be to reboot your laptop off a thumb drive, into a non-locked-down OS, presuming your company is OK with that.

A Khan 455 · Answer 6 · 2018-08-31 05:13:08Z

Okay, so let's address a few points in your question.

Organisations often use LDAP and other methodologies for authentication without password and is yet more secure.

An infrastructure VPN only permits a particular IP-range, which is allowed by firewall settings and iptables to communicate to your intranet/internal network. Now, you actually get the credentials or, are only permitted to access this intranet using a particular IP subnet/range often by only using the company's network via the infrastructure VPN like Cisco SSL VPN or Sophos infrastructure VPN.

Hope this clears out some doubts you had!

P.S. - Usage of secure VPN that uses IPSec protocol which is safely implemented like that of Cisco SSL VPN for infrastructures is far more secure than traditional ones and offers a deep layer of security from the context of an external attacker who virtually can't access the network without having access to the infrastructure VPN.

zwol 509312 · Answer 7 · 2018-08-30 20:29:31Z

I can't say whether your organization's sysadmins will go for it, but you could suggest to them that they make a specific exception in their VPN configuration to allow direct, unencrypted connections to the website http://neverssl.com/. The entire purpose of this site is to be hijacked by captive portals. Nobody will ever need to visit via the corporate VPN, because it's useless except when you need to allow a captive portal to hijack an unencrypted HTTP connection and present its login page, and it doesn't accept any information, so nobody could exfiltrate corporate data that way. The remaining risk is that the captive portal itself might be malicious, and that's a real risk, so they might not go for it. But it's worth a try.

In the OP's case, the organization's sysadmins would also have to allow direct connections to arbitrary websites (specifically, to whatever website the captive portal wants to use for login). That's what they aren't willing to do. — Sep 1 at 23:48

score 1 · Answer 8 · 2018-08-30 21:41:20Z

How is no password more secure than username+password?

It is if you use a shared key. Here's the way it works, simply explained.

You have a secure key on your computer. The one that you're trying to log in to has a key that matches it. This allows a simple, quick, and secure passwordless login.

This link is mostly about remotely logging into a remote server via ssh, without entering a username and password. I do that all the time when I need to ssh into my leased bare-metal server in another state. Surely, it's possible to do that in your case.

grawity 565314 · Accepted Answer · 2018-09-03 12:45:27Z

They have configured the laptops to spin up a VPN connection and only speak to "home base" after they go on the network. That means that if there is a local "captive portal" that requires you to enter credentials, you will not be able to use it, because that would require evading the VPN.

(It's a chicken and egg thing. No VPN, no ability to reach the portal - no portal, no ability to spin up the VPN!)

It is more secure because they are ensuring that, no matter what connection you have, any network traffic you send goes through your company's network, your company's controls, and is not subject to interception or manipulation by any other party.

It unfortunately breaks the case of Wireless with a "captive portal," but allowing for that case would lower their security by allowing your machine to talk to arbitrary machines directly rather than through the VPN.

The "eduroam" service that you mention in the comment explicitly states that they do not have a captive portal, but use WPA-Enterprise based on 802.1X:

Does eduroam use a web portal for authentication?

No. Web Portal, Captive Portal or Splash-Screen based authentication
mechanisms are not a secure way of accepting eduroam credentials....
eduroam requires the use of 802.1X...

802.1X is the kind of authentication you need to enter to configure your machine to connect to the network, so this case is one that your IT policy explicitly states that they allow:

if itÃ¢Â€Â™s set up so that you need a password to connect to the WiFi (and
this password is given to you by the establishment) then again, you
should be OK

In fact, eduroam appears to be very well aligned with your IT policy - they both distrust the "bad security" imposed by captive portals.

Based on the edit to the original question:

I am trying to connect to eduroam, but I cannot do it using my
organisation's laptop. When I use a personal computer, it asks me for
a username and password, just as a standard wifi network asks for
password.

That suggests to me that your organization's laptop is simply not prompting you to connect to new networks the same way that your personal computer is. This could be because of different operating systems or different policies applied to the two computers. You may simply want to ask your IT group for help configuring 802.1X for connection to the eduroam network; using that keyword will make it clear to them you're trying to do something they allow.

@luchonacho username vs username + password is not important. What they are trying to say is the network must give you untampered access as soon as you are able to connect to it. Eduroam username+password does this but many public wifis attempt to hijack your http requests to show you a login page. Not many wifi networks ask for a username and a password when connecting which is probably why they forgot to mention it as a safe method. — Aug 28 at 12:19
@NathanGoings in 802.1x with RADIUS, the supplicant (client) speaks to the authenticator (AP) using EAP, and the authenticator talks to the authentication server using RADIUS. So the client never needs to speak RADIUS; the EAP packets are part of the 802.11 WPA/WPA2 protocol. And as part of the 802.11 transport layer, they're pre-IP-network and not subject to the VPN. — Aug 28 at 15:37
Eduroam is notoriously complicated to set up (on the client), due to how different providers (= Universities) choose to accept credentials. In theory itÃ¢Â€Â™s supposed to be standardised and trivial to set up; in practice some Eduroam providers need to provide multi-page PDF manuals to their customers to guide them through the setup process for each operating system, and still users get confused (even power users). OPÃ¢Â€Â™s inability to connect may have nothing to do with the corporate laptop and more with the providerÃ¢Â€Â™s implementation of it. — Aug 28 at 16:32
@YLearn IÃ¢Â€Â™m not complaining, IÃ¢Â€Â™m explaining why OP is having difficulties despite using a network with a (somewhat) standardised configuration. — Aug 28 at 19:46
@Rsf that statement describes WPA/WPA2 integrated authentication. The most common case for that is password-only, but it's functionally equivalent to EAP username+password. Setup may differ, but it still operates during the WPAx handshake and won't be inhibited by a VPN requirement, unlike the captive portal method. So in short, when they say "password", the mean "WPA/WPA2 authentication, which is usually password, but could be username+password" as the OP is experiencing here. — Aug 29 at 12:01

score 15 · Answer 10 · 2018-08-28 12:16:49Z

When you first connect to some websites, they require that you give them an email address, or some other piece of data before you can use their service, this page is referred to as a captive portal.

Your company laptop is setup so that when it detects an internet connection, it connects back to your corporate VPN, and then connects back out from there. In most situations, (scenarios 1 and 2 in your question) you can connect to the wifi with a password, or open wifi, tunnel into your corporate VPN, and then connect back out - all of which is done using the service of the wifi you are connecting to.

However, in situation 3 - you may land on a captive portal web page, which requires that you enter some piece of data first in order to connect. However, your laptop is designed in such a way that you must connect to the corporate VPN first. Which means that you can't connect to the VPN because you haven't entered any credentials on a captive portal, and you can't enter the credentials because you haven't connected to the VPN yet.

Hopefully this answers your question a little better than my previous comment. Leave a comment here and i'll update this if you have further questions.

edit: Just to add the reason why a company might have this type of set up is because they can ensure that all traffic passes through their VPN, and allows them to enforce other policies, ie. Acceptable use, etc. Please see @gowenfawr answer for more info above as he has explained it extremely well.

Allen Howard 2414 · Answer 11 · 2018-08-28 18:15:35Z

There are already good answers as to the understanding of the policy, but I'm going to talk briefly about eduroam security and connection profiles to make sure that all bases are covered in terms of the answer. I've worked for two universities that offer eduroam and have spent a lot of time working with it.

Eduroam is a global network of universities and other educational institutions that peer together to allow members of one institution access to network resources at another partner institution.

Authentication to eduroam is done through the 802.1x protocol (With MS-CHAP v2 usually the phase 2 authentication, at least in my experience). This is where the AP/Controller use RADIUS to talk to the RADIUS server at the home institution. Assuming all is good, the client is allowed to connect.

Encryption of the wireless packets from the machine to the AP is done with WPA2 (enterprise, hence the 802.1x authentication) encryption.

One of the biggest issues I've seen with eduroam connection profiles is when the operating system submits the logged on user's credentials automatically (this is default in windows 7 and below... I think they changed this in Windows 8). I've also seen an issue where Windows will sometimes try to connect with the machine account, which is not usually authorized by the University (only user accounts are).

Once connected to eduroam, your company will tunnel out the data through their VPN provider. Depending on how the institution where you are trying to connect to has the eduroam network set up, this may or may not work (The one place I worked only allowed some VPNs out while on eduroam, not all).

Windows 8 and iOS automatically remember the institution's TLS certificate by fingerprint. Older Windows versions weren't completely insecure, but they required manual configuration of the certificate's hostname. Android 7+ requires the hostname to be input as well. — Sep 3 at 8:47

Philipp 43.3k7112137 · Answer 12 · 2018-08-28 12:54:18Z

up vote
9
down vote

What you are referring to is called a captive portal.

In order for such a portal to get displayed in your web browser, the following things need to happen:

The WiFi router waits until your computer makes a non-encrypted (http://) request to a public website.

It intercepts that request

It responds by impersonating the website you wanted to reach and send you a redirect to the portal

This is something which looks extremely evil for any security software on your computer. You are doing an unencrypted http request to a public website via an untrusted network and become the victim of a man-in-the-middle attack. Yes, you are aware of this, and you are just doing this just so you can see the captive portal. But captive portals are not standardized, so your computer can not tell the difference.

If the IT department would allow this process, they would also allow you to browse the internet over a completely insecure connection.

answered Aug 28 at 12:54

Philipp

43.3k7112137

2

Would there be any security risks if software explicitly allowed accesses to a particular site like (perhaps literally) www.example.com to be "hijacked" via captive portal? Captive portals should have no trouble hijacking that site like any other, but it would be unlikely that a captive portal masquerading as www.example.com would be able to trick anyone into doing anything they're not wanting to.
â€“Â supercat
Aug 28 at 18:53

@supercat After you're redirected to the captive portal, then what? You're still on an insecure connection until you explicitly switch back to your secure mode, which you may forget to do.
â€“Â Brilliand
Aug 29 at 22:37

3

@supercat there is nothing enforcing that the captive portal is actually a captive portal and not something that will download a virus. It might look like a page for entering a password or username, but it might not actually do anything aside from allowing you to continue browsing. With a standardized website that is even worse as now hackers can just mimick that website on a network that doesn't have captive portals and every user would fall for it and have no reason to believe otherwise. Captive portals that have different named URLs depending on the network actually aids in the security.
â€“Â The Great Duck
Aug 29 at 23:16

1

@TheGreatDuck: If a browser would allow a visited page to execute code of its choosing with sufficient privilege to install a virus, that's a problem even if everything is done through a VPN. Likewise almost any publicly-addressable http-based web site visited through a VPN could be hijacked by anyone at any node between the web host and the VPN bridge, no matter what the VPN does. The particular use case of using a browser to access www.example.com and whatever that redirects to would seem like it should be safe in the absence of security flaws within the browser itself.
â€“Â supercat
Aug 31 at 18:48

1

Perhaps the right approach would not be to pick a domain, but instead require that a browser used for such purposes be run within a particular VM, and instruct users that nothing requiring security should be run within that VM, but even there, picking a domain which one expects to be hijacked by a captive portal would help to recognize the difference between captive-portal hijacking and other forms.
â€“Â supercat
Aug 31 at 18:49

add a commentÂ |Â

score 3 · Answer 13 · 2018-08-31 20:11:38Z

Generally, these Wi-Fi hotspots authenticate via a MAC address. That is to say, after you sign in via their captive portal, they remember your system's Wi-Fi MAC address. Traffic from that MAC address will be permitted on their Wi-Fi hotspot for X minutes/hours, depending on their policy.

They also store it long enough that you can walk away, come back, get a new IP address and be recognized on MAC address alone. Some are vast. Once you hit "TOS Accept" on Target's guest Wi-Fi, it remembers your MAC address for years and nationwide to boot.

So, the question is: How we can come up on Wi-Fi with a machine with that MAC address, browse http://neverssl.com (or any non-HTTPS site), be redirected to the captive portal, satisfy the captive portal's requirements, and get our MAC address "remembered" as a good thing.

My thought is to use another device that allows you to alter its MAC address arbitrarily. Disable your company laptop's Wi-Fi and set its MAC address on your other device. Use it to walk through the captive portal's screens. Disable its Wi-Fi and enable your company laptop's Wi-Fi.

Another alternative would be to reboot your laptop off a thumb drive, into a non-locked-down OS, presuming your company is OK with that.

A Khan 455 · Answer 14 · 2018-08-31 05:13:08Z

Okay, so let's address a few points in your question.

Organisations often use LDAP and other methodologies for authentication without password and is yet more secure.

An infrastructure VPN only permits a particular IP-range, which is allowed by firewall settings and iptables to communicate to your intranet/internal network. Now, you actually get the credentials or, are only permitted to access this intranet using a particular IP subnet/range often by only using the company's network via the infrastructure VPN like Cisco SSL VPN or Sophos infrastructure VPN.

Hope this clears out some doubts you had!

P.S. - Usage of secure VPN that uses IPSec protocol which is safely implemented like that of Cisco SSL VPN for infrastructures is far more secure than traditional ones and offers a deep layer of security from the context of an external attacker who virtually can't access the network without having access to the infrastructure VPN.

zwol 509312 · Answer 15 · 2018-08-30 20:29:31Z

I can't say whether your organization's sysadmins will go for it, but you could suggest to them that they make a specific exception in their VPN configuration to allow direct, unencrypted connections to the website http://neverssl.com/. The entire purpose of this site is to be hijacked by captive portals. Nobody will ever need to visit via the corporate VPN, because it's useless except when you need to allow a captive portal to hijack an unencrypted HTTP connection and present its login page, and it doesn't accept any information, so nobody could exfiltrate corporate data that way. The remaining risk is that the captive portal itself might be malicious, and that's a real risk, so they might not go for it. But it's worth a try.

In the OP's case, the organization's sysadmins would also have to allow direct connections to arbitrary websites (specifically, to whatever website the captive portal wants to use for login). That's what they aren't willing to do. — Sep 1 at 23:48

score 1 · Answer 16 · 2018-08-30 21:41:20Z

How is no password more secure than username+password?

It is if you use a shared key. Here's the way it works, simply explained.

You have a secure key on your computer. The one that you're trying to log in to has a key that matches it. This allows a simple, quick, and secure passwordless login.

This link is mostly about remotely logging into a remote server via ssh, without entering a username and password. I do that all the time when I need to ssh into my leased bare-metal server in another state. Surely, it's possible to do that in your case.

Search This Blog

Iyfjky

How is no password more secure than username+password?

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

8 Answers
8

Your Answer

Post as a guest

8 Answers
8

8 Answers
8

Post as a guest

Comments

Post a Comment

Popular posts from this blog

White Anglo-Saxon Protestant

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

One-line joke

Category

Random preview

How is no password more secure than username+password?

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

Using hotel, coffee shop and public WiFi hotspots

8 Answers 8

Your Answer

Sign up or log in

Post as a guest

Post as a guest

8 Answers 8

8 Answers 8

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Comments

Post a Comment

Popular posts from this blog

White Anglo-Saxon Protestant

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

One-line joke

8 Answers
8

8 Answers
8

8 Answers
8