It is not as simple as it seems. Once the impostor has sniffed the authenticator, before using it he or she must wait for the legitimate client to abandon the network. The IP and MAC addresses would then be changed and made correspond with those of the client who abandoned the network and lastly send the authenticator to the gateway, while waiting for the latter to enable the connection. In fact, the impostor would wait in vain for two reasons: the authenticator has a limited duration over time and most certainly, on use by an impostor, will have already expired; the captive gateway can remember previously used authenticators to enable a connection and won't allow access to a replica.
Because this window, other than allowing forced disconnection by the user, guarantees the continuous renewal of the authenticator before it expires. If this window is closed the gateway, which no longer sees any requests for renewal, will decide to close the client connection.
It is probably already evident that until a gateway renews an authenticator, the latter must be still valid. The renewal therefore prolongs the life of an authenticator which has yet to expire.
In Routed Mode the captive gateway must work as an IP router and is configured as the default gateway on each client associated with the wireless network. For this reason, the IP subnet for the WiFi LAN part is different from the subnet on the rest of the network.
Instead, in Bridged Mode the gateway is a layer 2 bridge that joins the protected LAN segment with the rest of the network. The most obvious advantages of this method is that clients can have the same IP addresses independent of whether they are located on WI-FI or on the wired LAN. It is also obvious that not only IP protocol can transit from one part to another, but also any other protocol encapsulated in the Ethernet frames. In particular, if you consider that in bridged mode the level 2 broadcast is also forwarded, on the Wi-Fi network there is no need to activate a dhcp server to attribute the addresses, however you may avail of the server present on the rest of the LAN.
4. I have a Wi-Fi network and would like to protect it from unauthorized access. It is better to use a RADIUS server that allows me to have 802.1x authentication and protection with WPA or WPA2 or use a Captive Portal that authenticates access via web login?
Both methods have benefits and faults. Using RADIUS with 802.11i you will be more secure due to the fact that other than access authentication, which occurs when the client associates to an access point, the data link layer of wireless communication is encrypted with encryption keys which are changed at regular intervals. On the other hand, a Captive Portal gateway simply authorises access when the client already has an IP address. In this case, if the data must also be encrypted we must avail of other expedients, for example VPNs. The captive portal has the undisputable advantage that it does not require any client side configuration and can work with any Wi-Fi hardware. In reality, given it works at IP level, the Captive Portal can protect access even on a cabled network. Instead, the system with a RADIUS server, other than being more complicated to configure for the user, requires hardware (access point and wireless network card) support and operating system support. To conclude, we can say that the Captive Portal is better adapted in HotSpots in which the only objective is to protect against indiscriminate Internet access. WPA and WPA2 with a RADIUS server better adapt to situations where it is indispensable to guarantee both data confidentiality and user authentication.
We can do this by using Linux shell.