The requirements for this emergency services EAP method look a lot like
a method that would be really useful for hotspots. Most hotspots
authenticate via a web portal, and perform admission control based on a
MAC address. In many deployments it's fairly easy to find the MAC
address of someone who has already authenticated, and then run "ifconfig
wlan0 hwaddr <authenticated-mac-addr>" to usurp their session without
paying for it.
Often switching to a mutually-authenticated EAP method is not viable,
because there is no enrollment capabilities, i.e. you can't sign up new
users without giving them a web GUI to type in their credit card
information. If hotspot deployers had a server-authenticated EAP method
that tied a client's MAC address to a particular set of keys, they could
then decide whether that user could access the Internet based on whether
or not they had signed in to a web portal or not.
This approach would go a long way toward improving security in many
wireless networks. I think it would be extremely useful in hotels,
universities, coffee shops, etc. It might be useful to think about some
requirements for these scenarios too, and kill two birds with one stone.
--
t. charles clancy, ph.d. eng.umd.edu/~tcc
electrical & computer engineering, university of maryland
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www1.ietf.org/mailman/listinfo/emu
