Portal authentication security in WLAN operation

WLAN operation has multiple authentication methods, but the most common method is to pop up the Portal logon page. That is, the user searches for the AP of the carrier, connects to it to obtain the IP address, opens the browser, and enters the account and password to log on.

This method is simple and convenient, but because AP access does not adopt WEP and WPA2 encryption methods, the air channel is easy to detect and crack, and hackers can intercept the air transmission account and password. Therefore, this method is less secure.

How can we improve the security of login pages? According to the city hotspot summary, most WLAN operators currently adopt the following solutions:

1. The Portal Server and the BRAS and Radius servers adopt CHAP authentication.

2. HTTPS logon page

3. Obtain the dynamic password through SMS

The following urban hotspots will discuss and compare these three methods.

1. the authentication method in solution 1 is simple, practical, and safe. The Radius standard provides two optional Authentication methods: Password Authentication Protocol (PAP) and question Handshake Protocol (CHAP ). If both parties reach an agreement through negotiation, no identity authentication method can be used. The challenge handshake protocol authentication (CHAP) is more secure than the password verification protocol authentication (PAP), because CHAP does not send plaintext passwords online, but sends random sequences processed by the Digest algorithm, also known as "challenge string ".

At the same time, identity authentication can be performed at any time, including during normal communication between the two parties. Therefore, the password transmitted in this mode is time-sensitive.

The PAP authentication method is used. The password is a plaintext or a reversible algorithm is used for transmission. You can view the source code of the logon page to find the encryption algorithm. Therefore, you can easily find the cracking algorithm. The MD5 encryption method of CHAP is irreversible, and the algorithm is public. That is to say, the listener cannot calculate the password from the encrypted result, during the authentication process, only the Radius server and the user know the password, including the access devices such as BRAS, only transmit the MD5 encrypted results. encryption adopts a challenge value method, and each authentication is different, the encryption results are also different each time. Even if it is obtained by a hacker, it will also become invalid during the next authentication.

2. the Https login page method has the highest security. Due to the dynamic SSL Certificate encryption method, it cannot be cracked at present. However, you need to purchase a formal website certificate on the portal Server, and the cost is relatively high.

3. currently, most mobile operators use text messages to obtain dynamic passwords. The passwords are only valid for 10-20 minutes. This method is similar to CHAP's security mechanism, password validity period is restricted. Although this method is highly secure, the cost increases with at least one text message each time, and the operation method is relatively cumbersome.

Through the above arguments, city hotspots believe that these three methods are independent from each other and do not conflict with each other. They are both a good way to improve the security of carrier authentication and can also be used together. As the top brand in broadband billing, the overall solution provided by city hotspots covers these three methods. You can provide the best solution based on your needs, so as to achieve the best results!