Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
stefan.winter@restena.lu Fri, 09 October 2015 14:58 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856441B42CD for <captive-portals@ietfa.amsl.com>; Fri, 9 Oct 2015 07:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbmNcjO893nd for <captive-portals@ietfa.amsl.com>; Fri, 9 Oct 2015 07:58:21 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612151B42CA for <captive-portals@ietf.org>; Fri, 9 Oct 2015 07:58:21 -0700 (PDT)
Received: from staffmail (horde-int.restena.lu [IPv6:2001:a18:1:6::237]) by smtprelay.restena.lu (Postfix) with ESMTPS id B7E1043AA0; Fri, 9 Oct 2015 16:58:19 +0200 (CEST)
Received: from 195.138.201.60 ([195.138.201.60]) by staffmail.restena.lu (Horde Framework) with HTTP; Fri, 09 Oct 2015 16:58:19 +0200
Date: Fri, 09 Oct 2015 16:58:19 +0200
Message-ID: <20151009165819.Horde.xZudPsE-5k0pLb5RjGPfsA1@staffmail.restena.lu>
From: stefan.winter@restena.lu
To: David Illsley <davidillsley@gmail.com>
In-Reply-To: <CA+E3Fw1TZc_c7RoiSYc12TA9hga=khLf=+mqdhQZT_8ufVDZ3g@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.0)
Content-Type: text/plain; charset="UTF-8"; format="flowed"; DelSp="Yes"
MIME-Version: 1.0
Content-Disposition: inline
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/OwVeJZYh3r0k1Jgilo6NrewWXnw>
Cc: captive-portals@ietf.org
Subject: Re: [Captive-portals] Alternative authentication mechanism to meet captive portal needs?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 14:58:23 -0000
Hello, being a huge EAP-based roaming consortium, eduroam is facing those same ToU/branding questions. We settled for an out-of-EAP approach to show logo and ToU during the provisioning phase. Take a look at https://datatracker.ietf.org/doc/draft-winter-opsawg-eap-metadata/ This is a config file for EAP-based networks. It includes schema elements / yang nodes to embed ToU, Logo, helpdesk contact details, operator friendly name etc. An installer program that gets fed with such a config file can display the logo, ToU and similar before actually pushing the EAP type settings to the device; and from then on just be a normal 802.11i network. There is already an Android app and a Linux installation script that consumes the file format; we are also currently working on a Windows version. Apple's mobileconfig files also have a way to embed Terms of Use - but no logo. The only remaining problem then is that the config needs to get to the device in the first place - which means in most cases that you need a captive portal which only allows to download the config for the "real" network. Hotspot 2.0 was designed with that use case in mind, but for wired networks, you are a bit more on your own. Greetings, Stefan Winter Zitat von David Illsley <davidillsley@gmail.com>: > Hi all, > Apologies if this is a silly question (and if I missed it in the archives). > Has anyone (anywhere) considered if there's a new (EAP?) authentication > mechanism that would meet at least some of the needs of deployers of > captive portals? eg allow users to agree to an acceptable use policy, see a > logo, and enter their email address? > > I know its potentially a bigger change than some of the others suggested, > but if these requirements aren't going anywhere, it might be worth the > long-term investment. > > David
- [Captive-portals] Alternative authentication mech… David Illsley
- Re: [Captive-portals] Alternative authentication … stefan.winter
- Re: [Captive-portals] Alternative authentication … Roscoe, Alexander