[isf-wifidog] How to Auth non-browser based devices

Mer 1 Fév 11:16:09 EST 2006

On February 1, 2006 10:46 am, Dana Spiegel wrote:
> Some comments:
>
> 1) this is likely to be an involved and confusing process for most
> normal people, since they'll look at you and say "I want to get phone
> access, and I don't own a Mac". Asking for people to enter in their
> MAC address is like asking them to enter the serial number for the
> engine block in their car.

True, but it sure beats having them reconfigure their device everytime they 
want to use it.  Off course, a group who doesn't really care about 
authentication do not have that problem at all, they will probably only 
splash port 80 and leave the rest open.

> 2) Great idea, though if we could enter the server whitelist via DNS
> names, and have the wifidog auth update the IP automatically, that
> would be even better

We currently do it for that auth server rotation, but it's not a simple 
process.  You can always add the RFE to the tracker.

> 3) Even better idea. If someone is going to be smart enough to tunnel
> traffic like this, then its likely that they're smart enough to spoof
> a mac address or do something else to get around any security. Plus I
> don't think there's a significant risk for this, and our goal should
> be to make the hotspot as easy to use as possible. This is the only
> way that people can just pull out their VOIP phone and use it without
> a problem.

The problem is where do we stop.  In the end, how different is "I want to pull 
out my wifi phone and have it just work" from "I want to pull out my laptop 
and have it just work"?  At some point you have to be consistent, or you'll 
either start down a slipery slope or look arbitrary in your justifications.

Let's forget for now if it is or isn't easier than finding a MAC address to 
spoof.  Opening ports is whitelisting a specific type of service, which 
necessarily means the group deems all other services less worthy of 
convenience/consideration.

> 4) I don't think this will work for VOIP phones, who can't even click
> through the splash page. Unless I'm missing something.

A group that runs a portal only for displaying terms of service can keep all 
other ports open if they want.

> 5) This is also a good idea, though we'll constantly be playing catch
> up with the network device providers, and this will be lots of
> overhead work for the network operators. If we go this route, WifiDog
> should publish a list of MAC addresses and their device category, and
> allow network operators to click a button that says "Allow all VOIP
> phones to use this network without authenticating", which will cause
> the auth server to suck down a constantly updated list of MAC address
> ranges for VOIP phones. Same is true for PSP and DS, and possibly
> other device classes as well.

If we were to go this route, we'd have to move the list server side, otherwise 
it will be a performance and logistics nightmare.  However, it could be done 
using most of the same mechanics as what 1 needs.

I may write a page on the wiki about this whole issue.

-- 
Benoit Grégoire, http://benoitg.coeus.ca/
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: non disponible
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060201/7caff4a7/attachment.pgp