[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?

To: "[email protected]" <[email protected]>, David Illsley <[email protected]>
Subject: Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
From: "Roscoe, Alexander" <[email protected]>
Date: Fri, 9 Oct 2015 15:15:41 +0000
Accept-language: en-US
Archived-at: <http://mailarchive.ietf.org/arch/msg/captive-portals/Q6SeJzZo_OgrY6lL62I52wHH8vc>
Cc: "[email protected]" <[email protected]>
Delivered-to: [email protected]
In-reply-to: <20151009165819.Horde.xZudPsE-5k0pLb5RjGPfsA1@staffmail.restena.lu>
List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-help: <mailto:[email protected]?subject=help>
List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-post: <mailto:[email protected]>
List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
References: <CA+E3Fw1TZc_c7RoiSYc12TA9hga=khLf=+mqdhQZT_8ufVDZ3g@mail.gmail.com> <20151009165819.Horde.xZudPsE-5k0pLb5RjGPfsA1@staffmail.restena.lu>
Thread-index: AQHRAqL0X8VBV07vZ0Sx+OSlbbNqQJ5jRXmA
Thread-topic: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?

I really think we need to focus on upgrading the security of the user
during authentication. Security was echoed by many participants in Prague.
The two main issues are an unsecured physical link and the authorization
by MAC address.  I think Hotspot 2.0 and Passpoint can help solve both of
these issues. I think the role of a captive portal should be to shepherd
the user into upgrading their security during authentication.

I have just rolled out our mobile provisioning configuration via the
captive portal and it was a headache between both iOS and Andriod.  It
would be nice if we can come up with a standard on provisioning these
mobile configs during authentication.  The limited iOS captive portal mode
is a bit clunky during the process but it still works.  The recent version
of the captive portal browser in Android just made it difficult to install
provisioning configurations.

-- 
Alexander Roscoe
Comcast - Wireless Engineer
Phone  215.286.7283
Cell  215.609.2691

On 10/9/15, 10:58 AM, "[email protected]"
<[email protected]> wrote:

>Hello,
>
>being a huge EAP-based roaming consortium, eduroam is facing those
>same ToU/branding questions.
>
>We settled for an out-of-EAP approach to show logo and ToU during the
>provisioning phase.
>
>Take a look at  
>https://datatracker.ietf.org/doc/draft-winter-opsawg-eap-metadata/
>
>This is a config file for EAP-based networks. It includes schema
>elements / yang nodes to embed ToU, Logo, helpdesk contact details,
>operator friendly name etc.
>
>An installer program that gets fed with such a config file can display
>the logo, ToU and similar before actually pushing the EAP type
>settings to the device; and from then on just be a normal 802.11i
>network.
>
>There is already an Android app and a Linux installation script that
>consumes the file format; we are also currently working on a Windows
>version.
>
>Apple's mobileconfig files also have a way to embed Terms of Use - but
>no logo.
>
>The only remaining problem then is that the config needs to get to the
>device in the first place - which means in most cases that you need a
>captive portal which only allows to download the config for the "real"
>network.
>
>Hotspot 2.0 was designed with that use case in mind, but for wired
>networks, you are a bit more on your own.
>
>Greetings,
>
>Stefan Winter
>
>Zitat von David Illsley <[email protected]>:
>
>> Hi all,
>> Apologies if this is a silly question (and if I missed it in the
>>archives).
>> Has anyone (anywhere) considered if there's a new (EAP?) authentication
>> mechanism that would meet at least some of the needs of deployers of
>> captive portals? eg allow users to agree to an acceptable use policy,
>>see a
>> logo, and enter their email address?
>>
>> I know its potentially a bigger change than some of the others
>>suggested,
>> but if these requirements aren't going anywhere, it might be worth the
>> long-term investment.
>>
>> David
>
>
>
>_______________________________________________
>Captive-portals mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/captive-portals
>

References:
- [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
  - From: David Illsley <[email protected]>
- Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
  - From: [email protected]

Prev by Date: Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
Next by Date: [Captive-portals] Joel Jaeggli's No Objection on charter-ietf-capport-00-01: (with COMMENT)
Previous by thread: Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
Next by thread: [Captive-portals] Joel Jaeggli's No Objection on charter-ietf-capport-00-01: (with COMMENT)
Index(es):
- Date
- Thread