[isf-wifidog] How to Auth non-browser based devices
Dana Spiegel
dana at nycwireless.net
Mer 1 Fév 10:46:47 EST 2006
Some comments:
1) this is likely to be an involved and confusing process for most
normal people, since they'll look at you and say "I want to get phone
access, and I don't own a Mac". Asking for people to enter in their
MAC address is like asking them to enter the serial number for the
engine block in their car.
2) Great idea, though if we could enter the server whitelist via DNS
names, and have the wifidog auth update the IP automatically, that
would be even better
3) Even better idea. If someone is going to be smart enough to tunnel
traffic like this, then its likely that they're smart enough to spoof
a mac address or do something else to get around any security. Plus I
don't think there's a significant risk for this, and our goal should
be to make the hotspot as easy to use as possible. This is the only
way that people can just pull out their VOIP phone and use it without
a problem.
4) I don't think this will work for VOIP phones, who can't even click
through the splash page. Unless I'm missing something.
5) This is also a good idea, though we'll constantly be playing catch
up with the network device providers, and this will be lots of
overhead work for the network operators. If we go this route, WifiDog
should publish a list of MAC addresses and their device category, and
allow network operators to click a button that says "Allow all VOIP
phones to use this network without authenticating", which will cause
the auth server to suck down a constantly updated list of MAC address
ranges for VOIP phones. Same is true for PSP and DS, and possibly
other device classes as well.
Dana Spiegel
Executive Director
NYCwireless
dana at NYCwireless.net
www.NYCwireless.net
+1 917 402 0422
Read the Wireless Community blog: http://www.wirelesscommunity.info
On Feb 1, 2006, at 12:05 AM, Benoit Grégoire wrote:
> On January 31, 2006 11:37 pm, Jason Potter wrote:
>> Hi All,
>>
>> Just an extension to the discussion below, what are the approaches to
>> giving free wifi to devices in a venue that don't have a browser.
>
> 1-Tie MAC adress(es) to a single user account who vouches for it
> (http://dev.wifidog.org/ticket/19). Only slightly more insecure
> than normal
> captive portal operation.
> 2-Whitelist specific servers ("perfectly" secure, allows the group
> to ask
> money from their operators for the priviledge since they run a
> business on
> your network). Good for the DS and VOIP operators, doesn't work
> for allowing
> you to connect to you own asterisk server for example.
> 3-Whitelist specific ports (such as SIP). Once you do that, anyone
> can tunnel
> any kind of traffic trough them.
> 4-Don't run any authentication at all. Works fine for those who
> only run a
> portal to display a splash page and terms of service.
>
> I hadn't tought of Pete's solution:
> 5-Whitelist a range of MAC adresses by manufacturer. Only works
> when the
> manufacturer and the service to be whitelisted are the same, so it
> would work
> for the DS, but not for a wifi phone). Also, once the users know
> whose
> device is whitelisted, they no longuer have to guess of find a MAC
> adress to
> spoof.
>
> If anyone has other ideas, please speak up. So far there is no
> perfect
> solution.
>
> --
> Benoit Grégoire, http://benoitg.coeus.ca/
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060201/335f0166/attachment-0001.htm
More information about the WiFiDog
mailing list