Why do you get a tiny browser pops up when you connect your iPhone to Guest network

>Apple has designed the ios devices in such a way that whenever you connect your iphone to a captive portal designed wifi network they bring it to your notice by popping up a tiny browser  that you have to authenticate to get on internet.

>How does this work on the background?

155.726863 192.168.242.85 -> 192.168.242.15 DNS Standard query A captive.apple.com
155.901921 192.168.242.15 -> 192.168.242.85 DNS Standard query response CNAME captive.apple.com.edgekey.net CNAME e7279.dsce9.akamaiedge.net A 104.72.84.134
155.929087 192.168.242.85 -> 104.72.84.134 TCP 65431 > http [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1416 WS=5 TSV=760100837 TSER=0 SACK_PERM=1
155.930144 104.72.84.134 -> 192.168.242.85 TCP http > 65431 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSV=8650997 TSER=760100837 WS=0

>Once the devices gets a IP address the iphone tries to send traffic to captive.apple.com and if gets any reply the device knows that the user have already authenticated.

>If  the device not able to reach the captive.apple.com then it understands that there is a captive portal to authenticate  further.

>In this sample capture the device gets a response from 104.72.84.134 , he know that it does has internet access and CNA is not required.

Successful wifi 802.1x Connection with a client station log

>This is for EAP-PEAP(MSCHAPV2) and you see 8 EAP IDs and 8 msg ids in this sucessfull Exchanges.

>You will also see the EAP codes between the suppliant <–> authenticator and msg code between authenticator <–> authentication server.
>You get to see the 802.11i fourway handshake to complete the PTK and GTK encryption keys generation for secured data transfer over the AIR.
>Once after the layer2 authentication over the client sends IP request on L3.
>Wifi controller discovers and add the MAC address and the respected IP address in its BDB.

2016-Dec-23 11:16:15.382003 | 78:4f:43:29:a2:a8 | Station Assign | <AID=1>[bgn](v0) assigned to <AP=3> ESSID=smart_connect B-BSSID=00:0c:e6:02:40:83 Ch=6 reason=Station probed
2016-Dec-23 11:16:15.409153 | 78:4f:43:29:a2:a8 | 802.11 State | <AID=1>[bgn](v0) state change <old=Unauthenticated><new=Associated><AP[3]=00:0c:e6:35:70:10> ESSID=smart_connect Ch=6 B-<BSSID=00:0c:e6:02:40:83>
2016-Dec-23 11:16:15.409599 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=0> <EAP code=request> <EAP ID=1> <EAP type=Identity> sent
2016-Dec-23 11:16:15.409634 | 78:4f:43:29:a2:a8 | 802.11 State | <AID=1>[bgn](v0) state change <old=Unauthenticated> <new=Associated> <AP=3> ESSID=smart_connect Ch=6 B-<BSSID=00:0c:e6:02:40:83>
2016-Dec-23 11:16:15.412198 | 78:4f:43:29:a2:a8 | CP User Authentication | Received smm-clear from wncreg <User=test@foritnet.com> <Auth type= Radius User> <Captive Portal Profile= Smart_connect>
2016-Dec-23 11:16:15.556572 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=1>
2016-Dec-23 11:16:15.556806 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=0> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.572894 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.636758 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=2>
2016-Dec-23 11:16:15.636763 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=1> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.667097 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=3> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.726747 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=3>
2016-Dec-23 11:16:15.726751 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=2> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.755076 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=4> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.806708 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=4>
2016-Dec-23 11:16:15.806712 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=3> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.856416 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=5> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.916656 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=5>
2016-Dec-23 11:16:15.916661 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=4> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.945510 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=6> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.996644 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=6>
2016-Dec-23 11:16:15.996648 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=5> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.010998 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=7> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.076481 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=7>
2016-Dec-23 11:16:16.076625 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=6> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.242356 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=8> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.296473 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=8>
2016-Dec-23 11:16:16.296629 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=7> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.298428 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius ACCESS-ACCEPT received : Session Timeout: 448981 sec, VLAN Tag : 0, Filter id : , CUI : None
2016-Dec-23 11:16:16.298587 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=success><EAP ID=8> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.299526 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M1 <msg type=EAPOL_KEY> PTK sent
2016-Dec-23 11:16:16.416797 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M2 <pkt type=EAPOL_KEY> MIC Verified
2016-Dec-23 11:16:16.417688 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M3 <msg type=EAPOL_KEY> WPA2 PTK Negotiation sent
2016-Dec-23 11:16:16.476605 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise
2016-Dec-23 11:16:17.920539 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=DISCOVER><server_ip=255.255.255.255><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0>
2016-Dec-23 11:16:17.921364 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=OFFER><server_ip=192.168.242.1><server_mac=00:09:0f:09:ff:11><offered_ip=192.168.242.85>
2016-Dec-23 11:16:18.928163 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=REQUEST><server_ip=255.255.255.255><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0>
2016-Dec-23 11:16:18.929344 | 78:4f:43:29:a2:a8 | IP Address Discovered | <Old IP discovery Method=none><Old IP=0.0.0.0><New IP discovery Method=dhcp><New IP=192.168.242.85>
2016-Dec-23 11:16:18.929517 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=ACK><server_ip=192.168.242.1><server_mac=00:09:0f:09:ff:11><offered_ip=192.168.242.85>
2016-Dec-23 11:16:20.221679 | 78:4f:43:29:a2:a8 | Station Assign | <AID=1>[bgn](v0) removed from <AP=3> ESSID=Guest B-BSSID=00:0c:e6:02:c3:55 Ch=6 reason=Inactivity timer expired

Configuring your Fortigate for Higher cipher and SSL/TLS protocol

From version 5.4 onwords you  can control on setting  Encryption and Decryption to Highest Cipher for SSLVPN

FG08XXXXXXXXXX # config vpn ssl settings
FG080XXXXXXXXX (settings) #
FG080XXXXXXXXX (settings) # set banned-cipher
RSA         Ban the use of cipher suites using RSA key.
DH          Ban the use of cipher suites using DH.
DHE         Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH        Ban the use of cipher suites using ECDH key exchange.
ECDHE       Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS         Ban the use of cipher suites using DSS authentication.
ECDSA       Ban the use of cipher suites using ECDSA authentication.
AES         Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM      Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA    Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES        Ban the use of cipher suites using triple DES
SHA1        Ban the use of cipher suites using SHA1.
SHA256      Ban the use of cipher suites using SHA256.
SHA384      Ban the use of cipher suites using SHA384.

#To set the SSL/TLS protocol versions for ADMIN and SSL VPN

 

>>Allow only TLS 1.2:
       # config system global
       # set admin-https-ssl-versions tlsv1-2
       # end
>>Disable everything except TLS 1.2 as go to high algorithm:
       # config vpn ssl settings
       # set tlsv1-0 disable
       # set tlsv1-1 disable
       # set sslv3 disable
       # set algorithm high
       # end
>>Whats with setting the algorithm on HIGH/LOW/MEDIUM:
The default option of Medium at RC4 (128 bits) is acceptable, but the High option, AES (128/256 bits) and 3DES is more secure. The Low option, RC4 (64 bits), DES and higher does not meet PCI DSS requirements
>>Configure the system to use strong crypto:
   # config system global
       # set strong-crypto enable
       # end
Note: Enabling strong crypto will disable using SSLV3 and TLSv1.0. So its  TLSv1.1 and TLSv1.2

WIRELESS PACKET CAPTURE ANALYSIS FILTERS

==>Capture particular client traffic for sa/da/ra/ta:

((wlan.sa[4-5]==XX:XX || wlan.da[4-5]==XX:XX || wlan.ra[4-5]==XX:XX || wlan.ta[4-5]==XX:XX))

Example:
((wlan.sa[4-5]==e9:d4 || wlan.da[4-5]==e9:d4 || wlan.ra[4-5]==e9:d4 || wlan.ta[4-5]==e9:d4))

==>Here’s a Wireshark display filter to capture beacons for a specific BSSID

wlan.fc.type_subtype == 0x0008 && wlan.bssid == xx:xx:xx:xx:xx:xx

Example:
wlan.fc.type_subtype == 0x0008 && wlan.bssid == 06:02:02:0d:49:96

==>Capture retries of a station:

wlan.fc.retry eq1 and wlan.sa==” ” || wlan.ta== ” ”
wlan.fc.retry eq 0 and wlan.sa==” ” || wlan.ta==” “\

Example:
wlan.fc.retry eq 1 and wlan.ta==0d:c3 and wlan.sa==0d:c3
wlan.fc.retry eq 1 and wlan.ta==06:02:02:0d:49:96
#FOR WIFI THROUGHPUT TEST ANALYSIS:

wlan.fc.type_subtype == 0x001c && wlan.duration >2000

#OTHER HANDY WIFI PACKET FILTERS :

* Show only the beacon frames:
wlan.fc.type_subtype == 0x08
* Show everything except the beacon frames:
!wlan.fc.type_subtype == 0x08
* Show only beacon frames and ack frames:
(wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d)
* Show everything except the beacon and ack frames
(!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)
” Capture only Ethernet type EAPOL” ether proto 0x888e
” Probe Requests” wlan[0] == 0x40
” No Probe Requests” wlan[0] != 0x40
” Probe Response” wlan[0] == 0x50
” No Probe Response” wlan[0] != 0x50
” Ack” wlan[0] == 0xd4
” No Ack” wlan[0] != 0xd4
” CF-End” wlan[0] == 0xe4
” No CF-End” wlan[0] != 0xe4
” Clear-to-send” wlan[0] == 0xc4
” No Clear-to-send” wlan[0] != 0xc4
” Beacon Frames – Probe Response/Request – Ack” wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4
” No Beacon Frames – No Probe Response/Request – No Ack” wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4
” Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send” wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4 or wlan[0] == 0xe4 or wlan[0] == 0xc4
” No Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send” wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4 and wlan[0] != 0xe4 and wlan[0] != 0xc4