IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

David Bird <dbird@google.com> Wed, 16 August 2017 13:52 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3401A1320B5 for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 06:52:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_WP_DIRINDEX=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8Df0a_-ebh1 for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 06:52:00 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B1B21241FC for <captive-portals@ietf.org>; Wed, 16 Aug 2017 06:52:00 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id d145so20478466qkc.2 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 06:51:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4kDIfzjGSKK2f+ZlieTNGl1LkxNOUZqccd81OdrbL98=; b=YzKBnD1kYSb5xQh8vY5GCUJgHRq+1ZfPEoRPKN1iBdFHFo888L3jQLYUEr7qUrX0GH SL+7BaiF69eg0yjhysHAZKwdf+ME0dmDeheCzGCqPey/fQNNga5/e+uV9qogVNbq9uLK zvmSfmLyJFJuB17Ho9iBNPvgnVbBmGIsaSeZlCOLOIumhwIRhz10jJqJUogiLpbKQX/O +O30iBzi7v5Vehma4doh8Fa8WB72fTuvwz0bKmFDCtVWz97+hYL0KjpNeUK753NjKy51 0zwiQFWf5D2Ja0hj0V525ge0vxoTbD9ngmbHRRrMpgiFWrYx7y92GCu68Xhu2pBKvQPs mx9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4kDIfzjGSKK2f+ZlieTNGl1LkxNOUZqccd81OdrbL98=; b=P2TwzaHUJuvAzm/avCndoKHv7LfwEX4IEeCyMD5312a4cqXpThAxftAk5CXmBevX5C 3JsaDjfudEfi4Mct8cjzMM0wP2MUexeRXYljpAYcn1513LCDpBiqM9JyoLjp4ZQ7bxyT jnk5QY3fFcV8jRt4jZtMmf4X8mWA1y7gOVRHVxaRe2jCmJgCzEdSpeobGtx+Ly71lp6M GB15sWRgNY1TDHUg6MnbqMfuiTIwa1T/XU1K1KHv5d+0vTEYVHJ4mO19P7ly32Zq1PGQ 7NNrohjkgM6Ux7UCCrCYDg78HH4Xz/AaC0SjtoMlZYLrcqa9PYLGmPhGTmnXGoMB/C7r XPeQ==
X-Gm-Message-State: AHYfb5j/G7egwDttZ45isCy/R+FpeaFLHUXbpwVq1B5l0G7PzrF0Chzs b3AhzoegSmqQuvJJsZj1Rag7sIW5b7cy
X-Received: by 10.55.192.79 with SMTP id o76mr2278393qki.312.1502891518908; Wed, 16 Aug 2017 06:51:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.149.58 with HTTP; Wed, 16 Aug 2017 06:51:58 -0700 (PDT)
In-Reply-To: <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Wed, 16 Aug 2017 06:51:58 -0700
Message-ID: <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com>
To: Erik Kline <ek@google.com>
Cc: Tommy Pauly <tpauly@apple.com>, captive-portals@ietf.org, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Content-Type: multipart/alternative; boundary="001a1149aeb61f89210556df3392"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/k4pvvUQs6o7QQGntuVa3P6u751U>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 13:52:02 -0000

My question about where the PvD API resides was somewhat rhetorical. In
reality, I'm sure you will find all of the above - In the NAS (e.g. Cisco),
at the hotspot services provider, and something hosted next to the venues
website. It depends mostly on how this URL is configured, and by whom. (One
could imagine people doing all sorts of things).

My question more specifically for the authors is, how would Cisco implement
PvD for Guest/Public access and would it actively stop avoiding Apple
captive portal detection? Or, would turning on PvD just make that 'feature'
easier to implement?

On Tue, Aug 15, 2017 at 5:19 PM, Erik Kline <ek@google.com> wrote:

> Randomly selecting Tommy and Eric so this bubbles up in their inbox.
>
> On 2 August 2017 at 10:36, David Bird <dbird@google.com> wrote:
> > Could an author of PvD help me understand the following questions for
> each
> > of the diagrams below I found on the Internet -- which represent some
> > typical hotspot configurations out there...
> >
> > - Where would the API reside?
> >
> > - Who 'owns' the API?
> >
> > - How does the API keep in-sync with the NAS? Who's responsible for that
> > (possibly multi-vendor, multi-AAA) integration?
> >
> > 1) Typical Hotspot service company outsourcing:
> > http://cloudessa.com/wp-content/uploads/2013/08/shema-
> CaptivePortalSolution_beta2b.png
> >
> > 2) Same as above, except venue owns portal:
> > http://cloudessa.com/wp-content/uploads/2013/07/
> solutions_hotspots-co-working-cloudessa_2p1.png
> >
> > 3) Now consider the above, but the venue has more roaming partners and
> > multi-realm RADIUS setup in their Cisco NAS:
> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-
> 3/config-guide/b_cg83/b_cg83_chapter_0100111.html
> > describes many options -- including separate MAC authentication sources,
> > optional portals for 802.1x (RADIUS) authenticated users, and so much
> > more...
> >
> > "Cisco ISE supports internal and external identity sources. Both sources
> can
> > be used as an authentication source for sponsor-user and guest-user
> > authentication."
> >
> > Also note this interesting article:  the section Information About
> Captive
> > Bypassing and how it describes how to avoid Apple captive portal
> > detection!!! "If no response is received, then the Internet access is
> > assumed to be blocked by the captive portal and Appleā€™s Captive Network
> > Assistant (CNA) auto-launches the pseudo-browser to request portal login
> in
> > a controlled window. The CNA may break when redirecting to an ISE captive
> > portal. The controller prevents this pseudo-browser from popping up."
> >
> >
> >
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org
> > https://www.ietf.org/mailman/listinfo/captive-portals
> >
>

v2.23.0 | Report a Bug | By Email