OWE network traffic security

fraynchize
New here

OWE network traffic security

Hey All,

I want to get away from the one password to rule the wifi and instead use the AD Login splash page. If i set my network up with OWE and have the captive portal strenght set to block all access until sign-on is complete is my network secure? Or because its still an "open" network im vulnerable to being attacked by anyone.

Thanks,

Tyler

2 Replies 2
MariaP8
Meraki Employee
Meraki Employee

Hi Tyler, 

1. OWE is part of WPA3 authentication which requires client devices to use data encryption upon associating to the AP.

 

2. After association the client will be redirected to the AD Logon Splash Page where they will have to enter a username and password to authenticate to the AD server.

 

3. The client will enter their username and password. The AP will receive that information and then send that off to your server.

 

4. Your server will accept or deny the credentials. If denied the server will indicate that to the AP and the AP will deny you access to the network. If your credentials are accepted your server will send a message to the AP telling it to allow you into the network. 


5. If you have your captive portal strength set to "block all access until sign-on is complete" then until users complete their sign-on they will not be allowed to access anything in the network (save for what is in your walled garden).


Additional Resources: 

802.11 Process Explained - Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is complete.

 

In our documentation we state the following, "To associate to a wireless network, a client must have the correct encryption keys (association requirements). Once associated the wireless client may need to enter information (network sign-on method) before accessing resources on the wireless network."

More on OWE from our documentation.

 

Hopefully this answers your question 🙂 

Maria P | Network Support Engineer, Cisco Meraki
KarstenI
Kind of a big deal
Kind of a big deal

OWE gives you wireless encryption without authentication, and the Splash page gives you authentication without wireless encryption. Combining both leaves you individually vulnerable to attacks on the other. An attacker on the wireless side can still make himself a MitM to interact with the wireless data in cleartext form.

 

If it is for internal users (as you are talking about AD login), implementing 802.1X is the only secure way to combine both.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels