Wireless Provisioning Service Protocol
Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp It sounds really cool in theory. From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01&displaylang=en With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection.
Hey, Michael, From my recollection, implementing WPS would require first implementing PEAPv2, and there hasn't been any movement there yet. --Mike King, Michael wrote:
Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp
It sounds really cool in theory.
From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01&displaylang=en
With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I read the 132 page spec last night. Personally, I wasn't terribly impressed. josh. King, Michael wrote:
Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p rotocol/portal_wireless_provisioning_service_protocol.asp
It sounds really cool in theory.
From: http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01&displaylang=en
With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hmmm. i am not sure if the question is to be impressed. it is simply true that some signaling is necessary to allow user to choose a network (e.g. an operator). in usual hotspots you end up with a web page which can present you all the information you need (e.g. prices, names, available services, etc.) - however without any L2 security. but in 802.1X you have to first authenticate to be able to exchange any signaling. this is indeed insufficient e.g. for WISPs: how do you know that your authentication will work in a particular network? which authentication protocol should you use if it does not? what will you pay by accessing there? which service do you get? etc. etc. etc. all these things become terribly complicated. in fact, i've written a paper on that about two years ago... using something like TTLS/PEAP provides a tunnel which you can use to exchange any data with the operator's control plane, and that prior to IP. could you be more specific? regards artur On 5 Oct 2005, at 22:09, Josh Howlett wrote:
I read the 132 page spec last night. Personally, I wasn't terribly impressed.
josh.
King, Michael wrote:
Has any thought been given on adding the WPS (Wireless Provisioning Service) Protocol to FreeRADIUS? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ randz/p rotocol/portal_wireless_provisioning_service_protocol.asp It sounds really cool in theory. From: http://www.microsoft.com/downloads/details.aspx? FamilyId=9ADF7496-0D50-4 138-848E-9BC810B83C01&displaylang=en With WPS technology, new and existing customers can connect to your Wi-Fi network without manual configuration of the computer or network connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Artur Hecker wrote:
hmmm.
i am not sure if the question is to be impressed.
I admit I was being a bit flippant.
it is simply true that some signaling is necessary to allow user to choose a network (e.g. an operator). in usual hotspots you end up with a web page which can present you all the information you need (e.g. prices, names, available services, etc.) - however without any L2 security.
but in 802.1X you have to first authenticate to be able to exchange any signaling. this is indeed insufficient e.g. for WISPs: how do you know that your authentication will work in a particular network? which authentication protocol should you use if it does not? what will you pay by accessing there? which service do you get? etc. etc. etc. all these things become terribly complicated. in fact, i've written a paper on that about two years ago... using something like TTLS/PEAP provides a tunnel which you can use to exchange any data with the operator's control plane, and that prior to IP.
could you be more specific?
I'll try and keep this brief, because it's a bit OT. WPS doesn't seem to offer anything particularly novel, besides a proprietary mechanism for configuring the Windows supplicant. A much more sane approach, IMHO, is simple authentication-by-proxy as implemented by several roaming consortia. Microsoft should put more effort into fixing their terribly broken supplicant, and stop trying to invent wheels... josh.
hi Josh i know it's a bit OT but i think that it might still be interesting for some of us.
I'll try and keep this brief, because it's a bit OT. WPS doesn't seem to offer anything particularly novel, besides a proprietary mechanism for configuring the Windows supplicant.
imho it's as proprietary as PEAP is proprietary. or TTLS. or any other EAP method which is not (yet?) an RFC. and it does offer new possibilites.
A much more sane approach, IMHO, is simple authentication-by-proxy as implemented by several roaming consortia.
are we still talking about L2 security? if yes, can you provide some references on this? i don't know anything about it.
Microsoft should put more effort into fixing their terribly broken supplicant, and stop trying to invent wheels...
that's where we almost agree :-) MS really could and should improve their supplicant a lot, both in terms of correctness and in terms of usability. it's still a pain in the ass to use. the supported EAP methods are scarce. the API has changed several times since XP and the newest one is difficult to decipher... (greetings to Tom). however, i do expect from somebody as big as microsoft to do research, to invent stuff and to specify new things. btw, that's what the community was always critisizing MS before. they did hire some of the best scientists (look at their R&D stuff), so why shouldn't they invent new things now? ciao artur
Hi,
the community was always critisizing MS before. they did hire some of the best scientists (look at their R&D stuff), so why shouldn't they invent new things now?
if its cross-platform then yes, they can invent things ;-) (bonus if it is Open Source too - so the community can see any problems lurking in it) alan
Hi Artur,
A much more sane approach, IMHO, is simple authentication-by-proxy as implemented by several roaming consortia.
are we still talking about L2 security? if yes, can you provide some references on this? i don't know anything about it.
I mean EAP over RADIUS within a roaming consortium. A good example of one, which I'm involved in, is eduroam (www.eduroam.org). Most of the effort in WPS is expended in provisioning configuration stuff (SSID names, etc). But it's reasonably trivial for a roaming consortium to agree on these without requiring a protocol like WPS.
Microsoft should put more effort into fixing their terribly broken supplicant, and stop trying to invent wheels...
that's where we almost agree :-) MS really could and should improve their supplicant a lot, both in terms of correctness and in terms of usability. it's still a pain in the ass to use. the supported EAP methods are scarce. the API has changed several times since XP and the newest one is difficult to decipher... (greetings to Tom).
however, i do expect from somebody as big as microsoft to do research, to invent stuff and to specify new things. btw, that's what the community was always critisizing MS before. they did hire some of the best scientists (look at their R&D stuff), so why shouldn't they invent new things now?
It would be nice if this stuff ended up in their products, and worked! josh.
hi Josh sorry to catch up so late on this.
I mean EAP over RADIUS within a roaming consortium. A good example of one, which I'm involved in, is eduroam (www.eduroam.org).
i took a look at this, it is mostly TERENA stuff for RADIUS... imho it only concerns the provider-provider interface and has nothing to do with WPS from my point of view. sorry, i don't see the point or the relevance of eduroam inter-provider agreements for the client provisioning.
Most of the effort in WPS is expended in provisioning configuration stuff (SSID names, etc). But it's reasonably trivial for a roaming consortium to agree on these without requiring a protocol like WPS
yes, it targets the user-provider interface. i'm sorry, but it is all but trivial to agree upon something like this in any realistic commercial roaming consortium. why? first of all, because roaming contracts are way too complicated and barely applicable for most of the current WISPs. second, because SSIDs etc. as almost anything in WiFi is not normative at all, ie. anybody can use whatever he wants and the problem is that is what the people currently do. change it a posteriori is too complicated. finally and most importantly, as a user you have no guarantee that the SSID you see represent the service you believe to get. and if you see two different SSIDs both belonging to commercial hotspots, you have to be able to find out service particularities _before_ connecting to the network. no aggrement can accomplish that for 802.1X based systems. and i won't even touch the platform integrity discussion... ciao artur
Hi all I have a couple of questions that I hope you guys can answer: I have to use radius for a prepaid solution. The soft switch is going to send radius authentication messages and accounting messages. My idea is to use FreeRADIUS with PostgreSQL. So my first question is if that's a good idea for a prepaid solution with real time billing involved to use these two? I will save both the accounting information and the user info in the postgreSQL database. But not all user info, mostly of it will be stored by the billing system, for instance the balance info. The user info in the postgre database is mainly used to route the user to the right billing base. Does the described solution seem to be a good one? Or should it be done differently? Another question is about authentication-request message. On the authentication-request I will get the following attributes: NAS-IP-Address Calling-Station-Id Called-Station-Id Service-Type Acct-Session-Id The attribute used for authentication is just the Calling-Station-Id. This gives a problem, the rlm_sql doesn't permit An Authentication Request without the User-Name and Password attributes. And as far as I can se there is Something that is hardcoded in the C code. If that is right I'll need to make the changes and recompile it? Or is there another solution on this? In the response to the the Authentication Request I have to send the calculated maximum call time Based on the Called-Station-Id and the user's balance. So before sending the response I have to execute something that calculates this. How can that be done in the best manner? Thanx /Erik
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Artur Hecker -
Erik Ågren -
Josh Howlett -
King, Michael -
Michael Griego