[isf-wifidog] How to Auth non-browser based devices

Dana Spiegel dana at nycwireless.net
Mer 1 Fév 10:46:47 EST 2006


Some comments:

1) this is likely to be an involved and confusing process for most  
normal people, since they'll look at you and say "I want to get phone  
access, and I don't own a Mac". Asking for people to enter in their  
MAC address is like asking them to enter the serial number for the  
engine block in their car.

2) Great idea, though if we could enter the server whitelist via DNS  
names, and have the wifidog auth update the IP automatically, that  
would be even better

3) Even better idea. If someone is going to be smart enough to tunnel  
traffic like this, then its likely that they're smart enough to spoof  
a mac address or do something else to get around any security. Plus I  
don't think there's a significant risk for this, and our goal should  
be to make the hotspot as easy to use as possible. This is the only  
way that people can just pull out their VOIP phone and use it without  
a problem.

4) I don't think this will work for VOIP phones, who can't even click  
through the splash page. Unless I'm missing something.

5) This is also a good idea, though we'll constantly be playing catch  
up with the network device providers, and this will be lots of  
overhead work for the network operators. If we go this route, WifiDog  
should publish a list of MAC addresses and their device category, and  
allow network operators to click a button that says "Allow all VOIP  
phones to use this network without authenticating", which will cause  
the auth server to suck down a constantly updated list of MAC address  
ranges for VOIP phones. Same is true for PSP and DS, and possibly  
other device classes as well.

Dana Spiegel
Executive Director
NYCwireless
dana at NYCwireless.net
www.NYCwireless.net
+1 917 402 0422

Read the Wireless Community blog: http://www.wirelesscommunity.info


On Feb 1, 2006, at 12:05 AM, Benoit Grégoire wrote:

> On January 31, 2006 11:37 pm, Jason Potter wrote:
>> Hi All,
>>
>> Just an extension to the discussion below, what are the approaches to
>> giving free wifi to devices in a venue that don't have a browser.
>
> 1-Tie MAC adress(es) to a single user account who vouches for it
> (http://dev.wifidog.org/ticket/19).  Only slightly more insecure  
> than normal
> captive portal operation.
> 2-Whitelist specific servers ("perfectly" secure, allows the group  
> to ask
> money from their operators for the priviledge since they run a  
> business on
> your network).  Good for the DS and VOIP operators, doesn't work  
> for allowing
> you to connect to you own asterisk server for example.
> 3-Whitelist specific ports (such as SIP).  Once you do that, anyone  
> can tunnel
> any kind of traffic trough them.
> 4-Don't run any authentication at all.  Works fine for those who  
> only run a
> portal to display a splash page and terms of service.
>
> I hadn't tought of Pete's solution:
> 5-Whitelist a range of MAC adresses by manufacturer.  Only works  
> when the
> manufacturer and the service to be whitelisted are the same, so it  
> would work
> for the DS, but not for a wifi phone).  Also, once the users know  
> whose
> device is whitelisted, they no longuer have to guess of find a MAC  
> adress to
> spoof.
>
> If anyone has other ideas, please speak up.  So far there is no  
> perfect
> solution.
>
> -- 
> Benoit Grégoire, http://benoitg.coeus.ca/
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060201/335f0166/attachment-0001.htm


More information about the WiFiDog mailing list