Re: hotel captive portals and forced VPNs

[Jarrod Frates <jfrates.ml () gmail com>]

On Thu, Dec 27, 2012 at 8:41 AM, Robin Wood <robin () digininja org> wrote:
> Has anyone seen a way to stop this short window of opportunity but
> obviously still allow the user to connect to the captive portal and
> authenticate?

I've seen locations that occasionally allow non-HTTP traffic without
any sort of authentication (DNS being the most common I've checked),
but I haven't explored them significantly.  I once stayed at a hotel
that allowed my IM logins to proceed but challenged me on web access.
I've since seen hotels battening down the hatches to prevent anything
from leaving without a web login; I imagine that your friend would
have a rough time with those locations, though I wonder what would
happen if you sent something other than types 1, 6, or 17 across it.

Any properly-configured NAC should be intercepting the first packet
and demanding authentication.  However, I've seen all manner of
oddities when it comes to hotel networks.  A hotel in Dallas triggered
the ARP spoof detection on my fiancee's notebook's ESET installation;
the MAC address for the default gateway kept flipping between
addresses of the same manufacturer.  The hotel staff blamed it on a
volleyball team showing up and flooding the network with traffic, but
I think it was just a poorly-configured load balancer of some sort as
I've run into it elsewhere since then.  (Or maybe someone was just
being really clever and intercepting the traffic intermittently.)  We
eventually just disabled the ARP spoof detection and went on our merry
way, but it reminded me that one can never trust networks that one did
not design or at least implement (and sometimes not even then).
-- 
Jarrod Frates
GAWN, GCIH, GPEN, GXPN
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com