Sunday 9 June 2013

Wi-Fi connection File Format

Wi-Fi connection File Format

In this article I’ll try to present one new standard ta needs to be created and demonstrate how it can be used by a Wi-Fi Hotspot provider. This is based on Scenario 3 in my article Wireless Guest Networks

The scenario (summary)

  • Wi-Fi Hotspot provider
  • Needs rigid solution
  • Needs to identify every user
  • Needs billing options

The solution

This solution is split into two parts, First I’m going to present the WiFi Connection File Format, then I’m going to explain how this fits into the scenario.

The File Format

This is going to be a standardized, clear text file format containing everything you need to connect to a wireless network. My suggested mockup is like this:

SSID v1.0
[basic]
SSID:Hotspot
security:WPA2-Enterprise
EAP:EAP-TLS

[EAP-TLS]
username:exampleuser
password:examplepassword
cert:(some certificate fingerprint)
cert:(another certificate fingerprint)

[Signature]
(Signature for the above document) (optional)

Let’s start from the top. The first line is a declaration of the file format and the version of that file format. The second line is a section declaration declaring that the following settings are basic settings. The next few lines consists of key:value pairs separated with a newline. The next section contains specialized settings for EAP-TLS, this is just an example, but imagine that this is supposed to provide all the information needed to connect to that network, no questions asked. The signature section is optional, It’s a signature confirming the authenticity of the above document and contains all the information needed to authenticate it. I would personally just use regular X.509 certificates in some way.

The reason for standardizing the file format is to have one standard way of providing the credentials; without having to coach the user using a long series of screenshots to do it. You can simply download this file and auto-run it. The Wi-Fi manager will then ask you if you want to apply these settings to that SSID, prompt you for overwriting ask you for approval of signature (if needed) and apply the settings.

Solving the problem

For this hotspot provider, there is a number of ways this could be applied as a solution. Common for all solutions is that they use WPA2-Enterprise (RADIUS) as the primary connection and authentication system. The service provider still needs to do a lot of work on the back-end of the system, but they can now trust the client device to remember the credentials and they don’t have to ask the user to authenticate every time. For expired subscriptions you can simply use RADIUS to kick the user off to a walled-garden VLAN with enough access to renew their subscription.

Option 1

User registration and authentication could simply happen over on a separate SSID in exactly the same way as hotspot solutions do today. The exception is that after completing the signup (or just regular login) the user is sendt a settings file and connects to the secured SSID.

Option 2

Same as Option 1, but using [WPA-Guest] on the same SSID.

Pros

  • Pretty easy to use, and easier than manual setup.
  • Secure (depending on setup)
  • Most Hotspot providers need to do most of this work anyway

Cons

  • Harder to set up

Summary

That completes the planned part of my series on wireless guest networks. If anyone in a position to do anything about this find this interesting, feel free to contact me, I really want to see this implemented.

No comments: