Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.
Hotels absolutely don’t want to provide open access to all for obvious reasons.
Although I have a “global unlimited” business SIM, I find it rarely works all that great.
Getting a local SIM is not always an option.
What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?
>Or do not offer internet access at all. People carry their own already-connected devices anyway.
Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)
Gues they just won't provide access then. Oh, what's that? There's a reason they need to provide access? Well, too bad the IT standards people invented a way to make sure we didn't interfere!
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)
From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.
>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.
If someone makes you import a CA, you have to assume they intend to eavesdrop on ssl encrypted communications. Enterprise WPA doesn't require it.
The right flavour of incompetence might get you there without bad intentions but really if you give someone the capability of eavesdropping you have to behave as if they're intending to use it
Doesn't seem like it. For instance the WPA enterprise setup dialog has a field specifically for a CA certificate[1]. Other OSes have something similar [2]. Presumably that's only used for WPA authentication purposes rather than being added as a sytem CA.
Or do not offer internet access at all. People carry their own already-connected devices anyway.