IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Lorenzo Colitti <lorenzo@google.com> Wed, 16 August 2017 08:40 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C15BA132656 for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 01:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_WP_DIRINDEX=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6phXOxuB_3Q for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 01:40:49 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 933A2124207 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 01:40:49 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id c74so10910504iod.4 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 01:40:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KF4rZO0t6uEbzkDeZoqFrLVOthb+hkLlv0Fg4ul/qfA=; b=v5XhDiru1dqPC+3YYcDnmBL+4htovZtw6q2QIM7uepx/x2068Kaf4piEwumK+CDQ1N 2R4eeXE7lm1WqY7FpY1Pwqtr0GemYIQNWubt5gLgbrlZKrK28gqBaLE3bVIc3i/PKnpq 1gDBcb+QUWHshnSwImxsufQON++cv7IuoQTIIb2OouzuAAi3NaN+iKbA4Xbg/vDeFKvi RVuNwRF8E74zTnqigIHYkKYENKpaSAkh0LYHwoQK/OBe3hA9haoP0owCMBGUBkhxbob+ RZXjgUMoj6gklDQxu/ejC3msuHi4enK5jb7DxIyffPRLspopQSBoBvUbteDo3JRHwC1h Ej8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KF4rZO0t6uEbzkDeZoqFrLVOthb+hkLlv0Fg4ul/qfA=; b=mpmAeJEXbYxUJoM7wH2Ke7L/yNJ+FX56IYQBcPpiBt03/qehnEyxr6RjQp2dropVq9 gGSq4syHIjyVtxvisFd2DmKfp4hGulAy0QxbhciV9W3+2BC2r83axKJ2Nzm6w3GbPax3 FHjxmw4SyIpddoxC/R29LgolH5+/3axgwl2bJ2PGiNFh3Q3etV6ECv4V1hSl8uJGKhHy jgpqfFnRb89Rzg3MUBkf292Zgs2sTEkuyr0K2LJaoZYr2jQXxxxG84mr2NLWmGhqoZxh ErOmI5R0d6kVvs8iozihg0ElkcYU8/Y/oR4zZxNT+a4wY65kZyH8l0qVDyF2aRknkspA TNaA==
X-Gm-Message-State: AHYfb5iQca6wQteB6vcJQsUJiCpvp5XQjebPwb6d9uLcoNBNvbPh1y+R zojuN7OXZGurOmgvMuzsAIEJypGoxzBb
X-Received: by 10.107.9.195 with SMTP id 64mr769264ioj.72.1502872848639; Wed, 16 Aug 2017 01:40:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.27.203 with HTTP; Wed, 16 Aug 2017 01:40:27 -0700 (PDT)
In-Reply-To: <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 16 Aug 2017 17:40:27 +0900
Message-ID: <CAKD1Yr0ZXuyWScBx-rOsYgpuNKxi44PZAw8h8Hv5NKbWrhk0Bg@mail.gmail.com>
To: Erik Kline <ek@google.com>
Cc: David Bird <dbird@google.com>, Tommy Pauly <tpauly@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="001a113eb69649a6470556dadafa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/DiHzgv9Zb55RYi5yKAlk-AFTauw>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 08:40:52 -0000

Per my understanding, the part of the system that returns the PVD
information needs to be in sync with the network elements that are
responsible for dropping unauthenticated users' packets and redirecting
plaintext HTTP requests to the portal login page. If the two are not in
sync then it is a configuration error.

To the untrained eye, this does not seem different from saying that the
part of the system that handles billing and authentication needs to be in
sync with the network elements. For example, it would be bad if the user
paid for service and then couldn't use the network.

On Wed, Aug 16, 2017 at 9:19 AM, Erik Kline <ek@google.com> wrote:

> Randomly selecting Tommy and Eric so this bubbles up in their inbox.
>
> On 2 August 2017 at 10:36, David Bird <dbird@google.com> wrote:
> > Could an author of PvD help me understand the following questions for
> each
> > of the diagrams below I found on the Internet -- which represent some
> > typical hotspot configurations out there...
> >
> > - Where would the API reside?
> >
> > - Who 'owns' the API?
> >
> > - How does the API keep in-sync with the NAS? Who's responsible for that
> > (possibly multi-vendor, multi-AAA) integration?
> >
> > 1) Typical Hotspot service company outsourcing:
> > http://cloudessa.com/wp-content/uploads/2013/08/shema-
> CaptivePortalSolution_beta2b.png
> >
> > 2) Same as above, except venue owns portal:
> > http://cloudessa.com/wp-content/uploads/2013/07/
> solutions_hotspots-co-working-cloudessa_2p1.png
> >
> > 3) Now consider the above, but the venue has more roaming partners and
> > multi-realm RADIUS setup in their Cisco NAS:
> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-
> 3/config-guide/b_cg83/b_cg83_chapter_0100111.html
> > describes many options -- including separate MAC authentication sources,
> > optional portals for 802.1x (RADIUS) authenticated users, and so much
> > more...
> >
> > "Cisco ISE supports internal and external identity sources. Both sources
> can
> > be used as an authentication source for sponsor-user and guest-user
> > authentication."
> >
> > Also note this interesting article:  the section Information About
> Captive
> > Bypassing and how it describes how to avoid Apple captive portal
> > detection!!! "If no response is received, then the Internet access is
> > assumed to be blocked by the captive portal and Appleā€™s Captive Network
> > Assistant (CNA) auto-launches the pseudo-browser to request portal login
> in
> > a controlled window. The CNA may break when redirecting to an ISE captive
> > portal. The controller prevents this pseudo-browser from popping up."
> >
> >
> >
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org
> > https://www.ietf.org/mailman/listinfo/captive-portals
> >
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>

v2.23.0 | Report a Bug | By Email