IETF Logo Mail Archive

Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?

stefan.winter@restena.lu Fri, 09 October 2015 14:58 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856441B42CD for <captive-portals@ietfa.amsl.com>; Fri, 9 Oct 2015 07:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbmNcjO893nd for <captive-portals@ietfa.amsl.com>; Fri, 9 Oct 2015 07:58:21 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612151B42CA for <captive-portals@ietf.org>; Fri, 9 Oct 2015 07:58:21 -0700 (PDT)
Received: from staffmail (horde-int.restena.lu [IPv6:2001:a18:1:6::237]) by smtprelay.restena.lu (Postfix) with ESMTPS id B7E1043AA0; Fri, 9 Oct 2015 16:58:19 +0200 (CEST)
Received: from 195.138.201.60 ([195.138.201.60]) by staffmail.restena.lu (Horde Framework) with HTTP; Fri, 09 Oct 2015 16:58:19 +0200
Date: Fri, 09 Oct 2015 16:58:19 +0200
Message-ID: <20151009165819.Horde.xZudPsE-5k0pLb5RjGPfsA1@staffmail.restena.lu>
From: stefan.winter@restena.lu
To: David Illsley <davidillsley@gmail.com>
In-Reply-To: <CA+E3Fw1TZc_c7RoiSYc12TA9hga=khLf=+mqdhQZT_8ufVDZ3g@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.0)
Content-Type: text/plain; charset="UTF-8"; format="flowed"; DelSp="Yes"
MIME-Version: 1.0
Content-Disposition: inline
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/OwVeJZYh3r0k1Jgilo6NrewWXnw>
Cc: captive-portals@ietf.org
Subject: Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 14:58:23 -0000

Hello,

being a huge EAP-based roaming consortium, eduroam is facing those  
same ToU/branding questions.

We settled for an out-of-EAP approach to show logo and ToU during the  
provisioning phase.

Take a look at  
https://datatracker.ietf.org/doc/draft-winter-opsawg-eap-metadata/

This is a config file for EAP-based networks. It includes schema  
elements / yang nodes to embed ToU, Logo, helpdesk contact details,  
operator friendly name etc.

An installer program that gets fed with such a config file can display  
the logo, ToU and similar before actually pushing the EAP type  
settings to the device; and from then on just be a normal 802.11i  
network.

There is already an Android app and a Linux installation script that  
consumes the file format; we are also currently working on a Windows  
version.

Apple's mobileconfig files also have a way to embed Terms of Use - but  
no logo.

The only remaining problem then is that the config needs to get to the  
device in the first place - which means in most cases that you need a  
captive portal which only allows to download the config for the "real"  
network.

Hotspot 2.0 was designed with that use case in mind, but for wired  
networks, you are a bit more on your own.

Greetings,

Stefan Winter

Zitat von David Illsley <davidillsley@gmail.com>:

> Hi all,
> Apologies if this is a silly question (and if I missed it in the archives).
> Has anyone (anywhere) considered if there's a new (EAP?) authentication
> mechanism that would meet at least some of the needs of deployers of
> captive portals? eg allow users to agree to an acceptable use policy, see a
> logo, and enter their email address?
>
> I know its potentially a bigger change than some of the others suggested,
> but if these requirements aren't going anywhere, it might be worth the
> long-term investment.
>
> David

v2.23.0 | Report a Bug | By Email