Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11-TGBH] 23/22r0 use case for OWE mode



Hi All,

 

Thanks for the online discussion, I would like to set up a mail thread to have the further discussion.

 

I pick up some introduction of the use case from the website and share to the group as bellow:

 

Use case:

In the public environment, like hotel, hospitals, a captive portal has always been a necessary evil as it is considered the only way to grant access to guests while minimizing obstacles to connectivity. Hoteliers need a secure, reliable way of identifying guest devices to ensure adequate quality of service to their most loyal guests while minimizing abuse. Guests want transparent, reliable and responsive Wi-Fi connectivity that is at least equivalent to their Wi-Fi connectivity experience at home.

Until today, the hospitality industry has relied on MAC authentication via captive portal to deliver repeat Wi-Fi access to their guests. it has provided a good user experience and allowed properties to effectively monetize the guest connectivity experience.

MAC randomization has the potential to disrupt the user experience in hospitality environments. When devices no longer have a static MAC address, the network will not recognize them when they attempt to connect to the network. This is especially problematic when the guest has paid for Wi-Fi access.

 

The challenge for the potential solution of Passpoint deployed in public environment

 

Passpoint relies on several distinct components (RADIUS, Certification Authority, User Database, Profile Originator) as well as third-party services and roaming agreements working together smoothly to support network connectivity. Should there be a failure in one component, guest connectivity may fail altogether, which would increase guest complaints and impact GSS scores.

 

Hi Junni, Luther,

Passpoint  vs. (capital portal + OWE+11bh solution)

 

In summary, the deployment of Passpoint is very complicated than traditional captive portal certification, I don’t think some public places, like Starbucks, will adopt Passpoint solution. most importantly, users have become accustomed to using captive portals to connect to public Wi-Fi networks. Any radical deviation from this norm could raise suspicion about their privacy and the trustworthiness of the network. Therefore, a simple upgrade solution like Capital portal + OWE + 11bh solution will be adopted to replace current  Capital portal solution in these places.

 

Hi Junni,

 

In some implementation of public Wi-Fi, as mentioned in the use case, there is some payment after captive portal certification. If I’m an active attacker and steal your identifier to access the network, you will pay the bill.

 

Hi Graham,

The latest 802.11 SPEC provides three RSNA approach--- IEEE 802.1X authentication, described in 12.6 (RSNA security association management), SAE authentication described in 12.4 (Authentication using a password), and OWE described in IETF RFC 8110.

11bh group doesn’t need to provide the identification solution based on 1X authentication. How do you consider the other two RNSA solution?

Do we really need to limit the usage of Device ID approach that is only applied on SAE authentication(using password). If so, IMHO, the benefit of 11bh SPEC is very limited if we don’t provide any solution on OWE mode.

 

Hi Kurt,

For the returned device, the end user can decide to provide it’s identifier or not based on the opt-in operation. E.g. if the end user don’t want to provide it’s identifier, the end user has to provide its certification information via WebUI in capital portal for certification again.

 

 

Thanks

 

Best Regards

 

Jay Yang

 


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1