[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] customizing API URLs vs ???



Nicolas Mailhot <[email protected]> wrote:
    >> It probably occurs less in places like airports, hotels and
    >> enterprises where there is more local operational clue.

    > In entrerprises the dhcp layer is mostly owned by desktop IT (ADs, in
    > the hands of people still stuggling to come to terms with the way
    > Microsoft adopted networking and the cloud with a vengeance) while
    > access to the internal network (or from the "safe" internal network to
    > the wild internet, or from low-security visitor networks to high-
    > security internal networks) is managed by network or security teams.

I'm not sure why you are bringing up desktop IT when I mention DHCPv4.
In an enterprise captive portal use, I would expect it would be for visitors.

The APs would have a second ESSID, and this would be operated by the
network/security team. Whether they do DHCP locally or backhauled, would be
their business, not desktop IT?   Or are you saying that someone in desktop
IT would say, "WE HAVE TO DO ALL DHCP", just because silos?

    > Network/security teams will want to plop the security portal in a
    > single tighly controled place (a datacenter, or a set of datacenters
    > for redundancy), while local/desktop IT would not care less about
    > security considerations (but then, they are not asked to care about
    > them).

    > Therefore, deep collaboration between local networking and the portal
    > is wishful thinking. The security dialog has to happen between the
    > client and the central portal, with as little constrains and smartness
    > as possible delegated to the local networking kit (ideally, just let
    > everyone talk to the portal, and let IP/Macs/whatever requires as
    > little effort as possible to identify a system talk to other network
    > ranges, as long as they match the whitelist published by the central
    > portal for those ranges).

If the Captive Portal Enforcement Point is not on the AP itself, but in some
part of the network, then I guess the need for colloboration between wifi
people and network people is less.  Network people would simply have all the
guest traffic on some VLAN, do nothing on the APs themselves (other than VLAN
tagging).

What is your preference: does the client API have to have the client
self-identify, or do we have to find a way to send unique URLs in IPv6 RAs?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [


Attachment: signature.asc
Description: PGP signature