Hacker News new | ask | show | jobs
by gruez 610 days ago
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
2 comments
stephenr 610 days ago
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."

As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?

link
gruez 610 days ago
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."

From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)

From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.

>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?

No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.

link
stephenr 610 days ago
> Legal cover for when a baddie uses the connection to order drugs or whatever.

.... Is this meant to be a joke?

> still required me to import a CA

It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.

link
gruez 610 days ago
>.... Is this meant to be a joke?

Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.

>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed

It's an organization where BYOD is very common.

link
chikere232 610 days ago
If someone makes you import a CA, you have to assume they intend to eavesdrop on ssl encrypted communications. Enterprise WPA doesn't require it.

The right flavour of incompetence might get you there without bad intentions but really if you give someone the capability of eavesdropping you have to behave as if they're intending to use it

link
gruez 610 days ago
Doesn't seem like it. For instance the WPA enterprise setup dialog has a field specifically for a CA certificate[1]. Other OSes have something similar [2]. Presumably that's only used for WPA authentication purposes rather than being added as a sytem CA.

[1] https://askubuntu.com/questions/1317320/how-can-i-automatica...

[2] https://documentation.meraki.com/MR/Encryption_and_Authentic...

link