I am IT network
I work in a company far from the city.
We have 20 access point all across the area and I manage those AP with unify.
Some people are able to bypass the portal with this VPN called PSIPHON.
I tried to block them on unfiy but they can keep reconnecting after .
What the best solution to block those people.
Are you able to setup RADIUS and integrate with your LDAP solution? Then you can have employees login with their desktop credentials instead of a shared password. This is how we stopped WiFi password sharing at my last job without destroying productivity of our employees.
Could you use Mac address filtering so that they can only connect if you have pre-authed the Mac?
First time I’ve seen an IT Network make a reddit post, AI is getting out of hand!
How do you know they’re using this VPN?
radius auth, problem solved
You have three problems.
First, it doesn’t seem like you know what you’re doing. That’s fine, everyone starts somewhere, but you also seem to be in a position where others expect you to fix the issue, and that’s not ok. Nine out of ten you end up looking bad.
Second, someone gave this person access to the network. That should be a fireable offense, but in my opinion, so should be running a network using a single PSK.
Third, you don’t know how to correctly filter traffic on your network.
Next steps here are to block the VPN traffic, which could mean blocking some legitimate traffic or investing in better firewalls that can block on content, not just ports, then implementing 802.1x and issuing new credentials or certain to anyone who actually needs access.
802.1x EAP-TLS without the ability to export the certificate from the computer.
I’m trying to understand what you are saying here.
You have a number of WiFi access points. And those are connected to a closed network that you are calling your Portal.
And you have strangers using your WiFi to access the internet?
Or you have authorized employees using the WiFi AP’s. And then they use VPN to get to the open internet? In other words. Your employees are escaping your closed portal.
They are two distinctly different problems.
Hm. Actually thinking about this. I wonder why I couldn’t always just VPN back to my home networking gear in order to bypass every captive portal?
how about creating user accounts with unique passwords for every user, so id somebody shares their account you first of all know it, and you second of all can easily shut down the account. Also as I read in another comment, MAC-Address filtering is completely useless, as MAC-Addresses don’t get encrypted via 802.11 and 802.3 and somebody can easily sniff the WLAN traffic. What security measures do you currently have in place?
What you say in earlier comments is that the user got the WiFi password from someone. And they are using the PSIPHON VPN to access sites that your portal blocks.
As long as they can use a VPN, any VPN, on your network, they bypass all your filtering rules. You will need to block any and all VPN use to prevent this.
You have at least 2 problem.
You have employees giving out credentials they have no right giving out. Either change the WiFi password or implement radius authentication.
Your sophos firewall isn’t blocking VPNs. Figure out how to block VPNs at your firewall.
Make your network unseen, create a fake network that is broadcast, in this network treat it like it’s a live network. Use a ras pi to send continuous ping requests and/or data packets across this “decoy” network. Configure the DHCP to assign invalid IP’s. This is how I got people off my network when I lived in an apartment complex, until I got a wifi pineapple… then I just made there devices constantly reconnect without accessing anything useful.
I Choose Violence. lol
Those employees need to be fired. They’re a liability.
This is a simple fix. Block outbound VPN until the CP has been authenticated.
About the only VPN that should ever be allowed pre-auth is WiFi calling (IPsec) to the cellular carriers.
You’ll need to perform a packet capture on the traffic and see what loophole is being abused. Look at the protocol being used and what the destination is, and whether your Guest Firewall rules permit the traffic.
For context, I’ve used modified versions of OpenVPN in the past to tunnel over ICMP, which has allowed me to get free Internet on networks where ICMP is allowed to the Internet despite captive portals restricting all other traffic, or reverse proxies acting as your walled garden.
If someone is sharing your password to the network, then you need to move to MPKI infrastructure or UID to lock out access.
I would redirect that MAC to a VLAN that has no access to anything.
It doesn’t really fix the problem, but it might prevent that one person from using your network. Maybe.
I had a similar issue once. Most VPN services usually have some kind of service discovery API that has data about their nodes. All VPN’s still need to connect to their first-mile node. So you can automate the process of blocking outgoing connections by grabbing their node list and creating the firewall rules.