The search age offers both "basic" and "premier" locations.
There's a very McDonald's-like captive portal screen with an AT&T login button and a Waypoint login... I forget what else. The name and password used to authenticate your DSL connection is the same that you use at McDonald's.
If you forget to launch a new browser, you seem to get an IP address that is heavily filtered.
My DSL account doesn't seem to match the requirements for free WiFi access, but it worked, and I didn't do any other signup. The SSID "attwifi" is available for free. Other partners are only available at additional cost, with the at&t premier package, I think. Or maybe they are all free now.
Great, a whole new way for users to lose the security of their account. Sniff the wifi traffic and then go hack the users' e-mail, web and other ISP services. Then start hitting the other stuff because the same account/password is what they used on a whole bunch of other services.
The login screens are SSL encrypted, so the logins are not going to be sniffed. However, the traffic is not encrypted, so a VPN is recommended.
What I find amusing (or disgusting) is that any wireless provider that has a functional authentication server, such as AT&T obviously does, can also provide RADIUS based authentication, which the typical wireless client has no problem using. The client and access point can then be issues a unique one time WPA-RADIUS encryption key, and all the traffic is encrypted.
That's not exactly the way it would (should?) work. The RADIUS server delivers the encryption key to both the access point and the client. I have WPA-RADIUS working at several installations without any modifications to the client computer. In all cases, the user is issued a login and password, which are also entered in the RADIUS server. Administering this is a PITA for a small coffee shop, but AT&T already does everything that's necessary for their DSL customers, so there's no added effort involved. The only changes are to convince AT&T and Wayport to consolidate their authentication methods and to enable WPA-RADIUS in their wireless access points. That can't be done at this time because of bureaucracy and more important, because the access point will not handle multiple encryption modes (WPA-RADIUS and unencrypted). Two access points would solve that problem, but that's a major expense that's probably not justified.
As I was sitting in the McDonald's parking lot, I found several WAPs, some with names that might indicate they were quite a ways away, maybe 1/4 mile or more. McDonald's, Burger King, Kentucky Fried Chicken, and a couple of "locked" with familiar business names that I didn't think were even in the immediate vicinity.
Sorry. That wasn't my intention. The thread was about McDonald's and I thought it would be more relevent to use the McDonalds wireless search page.
That's odd. There are 4 McDonald's in the People's Republic of Santa Cruz County. All of them have limited range. I can just barely use them in their own parking lot (without additional antenna gain). My guess(tm) is that Wayport has intentionally turned down the power on their transmitters to limit range to the premisis. I've seen the same at some other hot spots. Several that I maintain have the tx power turned down to 10mw. However, I've given up eating junk food, so I don't know if its universal among their installations.
I'm not sure I completely understand how RADIUS authentication really works. As usual, setting up RADIUS wireless authentication turned into a major project. The SQL server was my major challenge. I even read the instructions. I eventually made it work, but ended up with more questions on how it works, than answers.
List of RADIUS servers:
Passwords suck. I've degenerated into becoming a archive for my customers passwords, a rather dangerous and wasted exercise. I'm somewhat of a fan of X.509 authentication, with a USB dongle containing the certificates, but even that's become a mess, with my medical office customers, when someone forgets their dongle at home. I have some hope that the growing use of thumbprint identification will eliminate password management problem.
Nope. You missed my point. The problem I'm trying to solve is prevent wireless sniffing of hot spot traffic. If the traffic were encrypted with a unique one time WPA key delivered by a RADIUS server, sniffing would be impossible. I have a 2nd experimental access point running this way at a customers, and so far, it's working.
Nope. I rarely pay for support. However, the customers that call me on their cell phone, while sitting at a random wireless hot spot, asking how to login or connect, certainly know how expensive I can be.
If you enable WPA-RADIUS on the access point, and AT&T goes to RADIUS authentication, then there are no changes that need to be made on the client end.
All current wireless clients auto detect the method of authentication, and supply a corresponding dialog box for login if required. The user types in the login and password and that's all. Both the access point and the client get a unique WPA key from the RADIUS server, for the session, which makes it secure. If the system operators need a "Click OK to assume responsibility" splash page, it can be presented AFTER the login, and not before as is currently the practice.
I do agree that it doesn't work the way I describe "out of the box". It requires some configuration on the access point, in addition to the RADIUS server and SQL server. There's also the nightmare of user password administration. However, once this is done, a hot spot user, with an existing account, can simply walk in with a laptop that has no additional software, login/authenticate via RADIUS, and have a secure and encrypted wireless connection. At least that's the way I've experienced it.
What part of the WPA-RADIUS login process doesn't work the way I described? I did have to manually tinker with the "key supplied by server" setting with XP Wireless Zero Config, but that was fixed when I installed some updates. The Buffalo, Netgear, and DLink clients all connected without this added step. Also, I had a problem when I changed a users password, as WZC just complained that the login failed, but didn't bother to supply a new login dialog. That's apparently a WZC bug as the other clients did it right.
So, what part of the WPA-RADIUS login and authentication process doesn't work the way I described with the stock XP clients? Note that I'm not talking about the existing McDonalds/AT&T/Wayport system, which doesn't use WPA-RADIUS.
On Fri, 02 Nov 2007 05:36:59 -0700, Jeff Liebermann wrote in :
The "changes" are that the user has to remember and type in a userid and password, which will result in many more support issues. With an open system it just connects automatically. With WPA-PSK, it's configured once and then never again. With VPN, most clients can be configured once and then never again.
And that's my point. Not to mention credentials written down and pasted on the computer for all to see. Can you say "false sense of security"? ;)
Sure, but I've personally had better luck with VPN, which can be configured once, works anywhere, not just on specific hotspots, and can even be configured to engage automatically.
On Thu, 01 Nov 2007 19:03:23 -0700, Jeff Liebermann wrote in :
My own policy is to have absolutely nothing to do with client passwords
-- too much liability. When a client forgets a password, I have a new temporary one generated and sent, with a flag that forces the client to change it, plus logic to prevent weak passwords.
That problem, plus the problem of security breach if the dongle is lost or stolen, has discouraged me from using that approach.
Me too, but only some hope, since it's still not completely reliable -- still fails too often, and the low end units are still pretty easy to spoof.
Likewise, except my own preference is for VPN, which is universal (not just limited to specific hotspots); can be configured once; and set to work automatically. In addition, I don't have to depend on the local infrastructure working properly or on the integrity of the local infrastructure provider. (If possible, I recommend the client having its own VPN server, as I do.)
Ok, allow me to propose a dumb compromise. Just hang the WPA-RADIUS login and password on the wall of the hot spot. Something trivial like: login: McDonalds passwd: free-lunch Each user now gets an encrypted session. It won't stop someone from loggin in from the neighbors or the parking lot, but the wireless sessions can't be sniffed and the keys can't be recovered. Of course, this requires a local RADIUS server, but those are available.
Sure, but you indicated that I was changing the client somehow. Storing a password isn't changing the client. However, adding a VPN shim is. Are you somehow suggesting that installing and configuring a VPN client is somehow superior to just the WPA-RADIUS login and password? If so, I beg to differ.
YAPTF (yet another password to forget). Fine. Use a trivial login and password as I suggested above. Nothing to remember, but you get an encrypted session for free.
You haven't tried it my way. I'll admit it's not perfect, but it will deliver an encrypted session in the end, which eliminates some (not all) of the benifits of a VPN.
If you mean users forgetting their passwords, that's true. There are various password recovery schemes that seem to be tolerable. It's a problem, but not a show stopper as the bulk of the users can be expected to remember their own email password (which is what McDonalds/AT&T uses).
I got a demonstration of how to use Jello to clone a finger. It took a few tries, but eventually worked. I've had mine fail after I got my fingers cut and greasy from working on my SUV engine. I was able to use the machine using the password protected back door. It was 4 days before it would again recognize my fingerprint.
Not depend on local infrastructure? I wouldn't consider depending on internet connectivity to be any better. As for complexity, methinks the RADIUS server is far more complicated than terminating a VPN. However, the VPN distributes the complexity between the server and the client, so the total complexity is about the same.