[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 13/06/13 23:15, bad apple wrote: > > Is the "radius stuff" you mention WISPr by any chance? > > http://en.wikipedia.org/wiki/WISPr No, UAM is essentially a method of doing what is done now for these things. I was thinking of stuff done for modems, which is the other way around - authenticate then allow DHCP. We use to do UAM, authenticate users with Radius from wireless clients, as a wireless ISP. Someone else did the FreeRadius install, but still required a browser use for every reboot of the wireless client device. > Think you're mostly right about the DHCP 'solution' probably being the > way forward, but although I see mention of security measures like reply > attack prevention in RFC3118 I'm still really struggling to think how > authentication is going to work securely (properly, that is: I can see a > hell of a lot of ways to royally screw it up). Even distributing certs > in advance, as they're obviously going to have to do, is going to > ultimately fall to the same issues which make vendor included SSL certs > vulnerable/untrustworthy. RFC3118 tries to solve a different problem. I suspect HotSpot operators can be more relaxed about such things, not least currently they usually rely on username and password in a form (often served with or after an SSL error). Also re-authentication is a pain. As such anything is likely to be better than the status quo from their perspective. They are also largely not guarding the corporate network, but protecting the loss of a few minutes of Internet access, so the actual loss (rather than the opportunity cost), is probably approximately Â0.00 to a first approximation. Although obviously if abuse was widespread it might be an issue. A DHCP solution probably needs a flexible way of specifying the method, so that we can evolve it later, or even provide fall back when better methods arrive, so that clients with older software can use the old methods for a bit... Also you don't necessarily have to distribute certs, UAM stuff typically uses a centralized (hopefully redundant) RADIUS server for a lot of access points. Similar an SSL welcome form could be hosted somewhere else other than the router, and the message goes back to the router (which has to be trusted by the Hotspot provider otherwise it is game over for the vendor anyway). The problem with UAM is that the client needs to know it is in effect when it brings up the network, which typically mean receiving DHCP. Poking out to find a given web page seems the wrong method. You could probably use the existing infrastructure for UAM or other services once the client knows it is in a captive portal, and it can open an HTTPS to the right page, and if needed POST the credentials it has been told it can share, immediately rather than waiting for the user to use a browser (which happens less and less as we get mobile apps which do a lot of what we've used browsers for on desktops). -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq