8

Background

A friend of mine is the owner of a medium sized gym. He wants to provide WiFi to his customers and asked me to come up with a concept and eventually also deploy it. As a computer scientist I have a thorough understanding of information security but no experience in actually deploying a system that is used by many users. Because WiFi is not mission critical to his business that is okay for both of us.

Rationale for WPA2 Enterprise

Our main concern here is Availability: We want to make sure that the WiFi is available to the customers. With a simple captive portal we could not prevent random users from hogging the network bandwidth using MAC spoofing and disconnecting legitimate users in the process. We will make use of IEEE 802.11w to prevent users from being disconnected by some script kiddy using kali.

My Questions

  1. I realize that most businesses like coffeeshops or even big hotels deploy a simple captive portal which is inherently insecure. I guess that is because they have to be compatible with old devices and operating systems. Since our customers will use their somewhat recent smartphone we can safely drop this requirement. How easy is it on current smartphones to connect to a WPA2 network? Is there some kind of auto configuration on android(I know it's super easy on iPhone)? Should I support PEAP, EAP-TTLS or both?

  2. Are there other caveats when deploying WPA2 Enterprise instead of a captive portal in this environment that I have to be aware of?

  • re: 1. it's relatively easy to connect on android, and supporting all of the options presented to the user makes it more fool-proof. – dandavis Jul 26 '16 at 16:59
  • 1
    One caveat would be that people can't register directly via Wi-Fi as they need the credentials before they connect. It may be acceptable for you but if not you can serve a second open network that only gives access to a registration page (over HTTPS), so people can directly register there, pay by card and get their credentials. – André Borie Jul 26 '16 at 17:05
  • @AndréBorie That is not a problem. The access is is only for already paying customers. I will try to come up with a script that will sync the already existing user database with the radius database. They just get a print out with their credentials when they sign up for their gym membership. – Alexander Theißen Jul 26 '16 at 18:02
  • @AlexanderTheißen don't use two databases, have the RADIUS server directly query the existing user database. – André Borie Jul 26 '16 at 18:30
  • Unfortunately they use some kind of cloud based solution for user management. I have to investigate what is possible. But thanks for the advise. I did not realise that I can easily change the queries used to retrieve the user. – Alexander Theißen Jul 26 '16 at 18:37
  • Depending on the country youre doing this, let the users sign a contract (eg. when they register for the gym) to avoid legal consequences. In Germany there is/was a law called "störerhaftung" that makes public wifi owners liable for illegal stuff that is going on in the network. So definitely check this "non-technical" side too. – licklake Jan 19 '17 at 15:32

1 Answers1

1

You could develop a profile which contains the network key, as far as i am aware this means that the key isnt viewable by the user. This could be downloadable from the gyms website member area.

Maybe using apple configurator for the IOS devices?

Jake M
  • 39
  • 3