Sunday 2 June 2013

Introducing EAP-Guest

Introducing EAP-Guest

In this article I’ll try to present a solution for providing encrypted wifi with authentication free access. This is based on Scenario 2 in my article Wireless Guest Networks

The scenario (summary)

  • Public access Wi-Fi provider
  • Many users
  • Many access points
  • Large coverage area
  • No need to identify individual users

The solution

As I hinted in my last article this article is going to introduce something that is as of yet not developed. As the title hinted to we are going to use WPA(2)-Enterprise and introduce a new EAP type, I’m going to call it EAP-Guest.

EAP-Guest, Overview

EAP Guest is a new EAP type that can be announced in the beacon (as a vendor specific extension) and can work in parallel with other EAP types on the same SSID. It requires no authentication credentials from the client, but does a couple of authentication exchanges to prevent man-in-the-middle attacks.

AEP-Guest, User perspective

The beacon includes EAP-Guest, so the padlock icon next to the SSID in the browser is set to something to make it stand out. This could be an open padlock, a padlock and a key or even a padlock with a G on it.
When the User selects the network, the client device initiates a regular WPA-Enterprise authentication session with EAP type EAP-Guest. During that authentication and identification run the service provider signs it’s packets with a X.509 certificate. The certificate is the tricky part, you need a central CA (Certificate Authority) to sign it. Issuing certificates for SSIDs are not an option, that’s way too complicated to enforce. I suggest using regular X.509 certificates for web use and present the domain and organization to the user for approval. When the certificate is approved the client device needs to store it for future use. Since there are large networks with multiple providers (e.g. eduroam) the client must be able to store multiple of these certificates.
Once the authentication process is completed (failure is an option) the client is returned a URL to go to and accepted into the network. The client must direct the user to this URL in a web-browser if the platform supports it.


  • Easy to use
  • Secure


  • Hard to set up
  • Requires new technology


The EAP-Guest solution is an imagined future solution to this problem and the very reason I wrote this series of articles. If you are a service provider and need user authentication on top of this solution, you only have to add a layer-3 security portal on top of WPA-Guest, this is the main motivation for the URL return at the end of the sequence. In the next article I’ll present a solution that I think is an even better solution for hotspot service providers.

No comments: