Yes, Hotspot 2.0 is the Future of Secure Guest Wi-Fi

Since first blogging about Hotspot 2.0 and its application to typical enterprise WLAN guest networks I’ve learned quite a bit more thanks to several helpful tweets from Dave Wright of Ruckus Wireless. Although the large majority of the focus of Hotspot 2.0 still seems to be on integration with cellular carriers for AAA services and all the complexity and exclusivity that entails, there are provisions for simpler, anonymous, and secure Hotspot 2.0 guest networks that are much closer to what the typical enterprise WLAN operator will actually deploy. As I’ve said before, authentication is not a priority for most WLAN operators on their guest network, but encryption certainly is.

Is it the holy grail of guest Wi-Fi? Maybe, but more on that after we look at the Wi-Fi Alliance Passpoint (Release 2) Deployment Guidelines. In all 61 pages of the document, there are these few paragraphs devoted to what I predict to be the most common use of Hotspot 2.0.

12. Free Public Hotspot 2.0-Based Hotspots 

Hotspot Operators may provide Hotspot 2.0-based free, public, hotspot service. In this particular service, Hotspot Operators have the need to ensure hotspot users have accepted the terms and conditions governing their hotspot’s use, but are not interested in knowing (or do not wish to know/track) any particular user’s identity. This functionality is provided by Hotspot 2.0 Release 2 infrastructure. The Hotspot Operator configures their infrastructure as follows:

  1. The user in a Free Public Hotspot initiates the online sign-up registration process with the Free Public Hotspot’s OSU server.
  2. During the registration exchange, the OSU server presents the terms and conditions to the user.
  3. If the user accepts the terms and conditions, the OSU server issues a credential; if the user refuses, no credential is provisioned. Note that the same credential is issued to all users which have accepted the terms and conditions; therefore, the Hotspot Operator cannot track the identity of an individual user during the Hotspot 2.0 Access state (see section 6).
  4. When the user/mobile device returns to the same Free Public Hotspot, the previously provisioned credentials are used to provide secure, automatic access. The mobile device authenticates using EAP-TTLS, which provides for the generation of unique cryptographic keying material even though users share a common password.

If the terms and conditions change, then the user is taken through a subscription remediation
process during which the new terms and conditions are presented. If the user accepts the
changed terms and conditions, then a new credential is provisioned. 

There you have it. Hotspot 2.0 does provide for anonymous and secure guest networks. In short, 802.1X/EAP authentication is accomplished with EAP-TTLS through a common credential that is issued after the signup process. In fact, this has already been deployed by the cities of San Jose and San Francisco. To get an idea of how it works from a user’s perspective, check out the directions here.

Yes, you can do this all without Hotspot 2.0 in a less elegant way: Add a notice to your guest network captive portal that users can login to the secure network with a specific generic credential, and even a link to download a .mobileconfig profile for iOS and Mac OS users. However, the user experience won’t be standardized like it is with an OSU server, and non-Apple users will have to manually configure a connection to the 802.1X network, including adding a cert to their trusted roots. Not good UX. And definitely not fast, free, and easy.

The bad news: With Hotspot 2.0, the guest network captive portal is here to stay.

The good news: Users only have to wrestle with the captive portal once (unless the client credential is changed). And perhaps the technology behind the portal is more mobile client-friendly than today’s captive portals. Hopefully a HS2 client sees the OSU server being advertised by ANQP and immediately presents a notification to the user. If the user doesn’t play ball, the client should disconnect and the SSID should not be saved as a preferred SSID.

The great news: This is a lower-friction way to get secure Wi-Fi to guests.

Is this the holy grail? That depends on what you think that is. To me, the barrier to entry is low enough that I think this is a win for guest Wi-Fi.

Another wrinkle: The Hotspot 2.0 802.1X network can still be configured to automatically connect guests from known realms. That means that you could add eduroam and the coming anyroam realms to the SSID to onboard users from those participating organizations securely and automatically. And yes, no captive web portal either. So if the opportunities to integrate with AAA clearinghouses grow (exist at all?), the number of users subjected to the captive portal shrinks.

I’m sure there are concerns regarding the possibility of new SSID’s. Luckily, a legacy open guest network can serve Hotspot 2.0 incompatible clients while also delivering the Online Sign Up portal to compatible clients. That means no new SSID’s.

For the visual learners among us, your typical enterprise WLAN might look like this now:

A typical enterprise WLAN
A typical enterprise WLAN

To support secure Hotspot 2.0 guest clients, it might look like this in the future:

A Hotspot 2.0-enabled enterprise WLAN
A Hotspot 2.0-enabled enterprise WLAN

I’m looking forward to seeing gear get updated to support Hotspot 2.0 Rev 2 so we can see this in the wild. Ruckus is doing a great job banging the drum for Hotspot 2.0, but other vendors seem to be further behind. Client support is not great (come on, Android), but Apple has supported it since iOS 7, so here’s hoping that will drive others to follow suit.

K-12 Needs eduroam Too

As eduroam sweeps across higher education in the United States, I think it’s worth considering its place in K-12 as well. After all, every university and college that joins eduroam is within the boundaries of a K-12 school district, and a longstanding relationship is likely to exist between those institutions.

Where I work, we have Miami University within our district boundaries. Miami has a highly regarded education program and dozens of Miami students student teach at our schools everyday. Miami faculty and staff send their kids to our schools, they volunteer here, and they regularly attend school functions. We maintain a formal partnership with the university.

Our teachers and staff take classes at Miami, teach classes, send their kids there, and attend events at Miami. Some of our high school students attend post-secondary classes there as well. In other words, there is a regular flow of visitors back and forth between the institutions.

Because Miami is an eduroam member, it made perfect sense for us to join too. Visitors from our district could gain automatic and secure Wi-Fi access at Miami, and visitors from Miami could have the same at our district. That’s why I pushed to deploy eduroam at my district, making us the first K-12 institution to join eduroam in the United States.

But what about K-12 schools that don’t have higher education institutions nearby? I think there is still a case to be made for eduroam for these districts too.

Quoting the eduroam US FAQ:

Our institution already has great guest Wi-Fi, why do I need eduroam?

eduroam is not a replacement to your guest network, it is a complement to make your guest network and your community compatible with other eduroam participants.

Enabling eduroam on your campus provides four main features:

  1.  it allows your campus to welcome eduroam enabled visitors in a strongly authenticated way (the strong authentication also provides a way to authorize users to different resources)

  2. it allows your own users to travel to eduroam enabled locations around the world (some places only have eduroam as a guest Wi-Fi)

  3. it saves provisioning time to your institution and to the visitors since authentication is automatic and access is immediate

  4. it improves security since your visitors use a standard protocol (WPA2-enterprise, 802.1X) that encrypts traffic between their devices and the Wi-Fi infrastructure

Doesn’t all of this apply to K-12 as well?

I think it does. K-12 school districts aren’t isolated islands. Teachers attend professional development at neighboring districts, students travel for field trips and athletic events, teachers and leadership attend meetings at local education service centers. Some even share employees who split their time between multiple districts. There is a lot of educational roaming occurring within today’s K-12 community.

WLAN Vendors: The NBASE-T Ball is in Your Court

I’m going to echo the position of Marcus BurtonLee Badman, and Andrew von Nagy. Despite the marketing push, there really is no need for > 1 Gbps link to a 802.11ac Wave 2 AP. Not at the access layer at least.

This Wi-Fi gauge goes up to 6.8 Gbps, so that means we need a 10 gig port for every AP, right?

Back to reality: 802.11ac Wave 2 is roughly 7 Gbps max with 8 spatial streams and 160 Mhz channel bandwidth, but most will use 4 spatial streams at max, cutting that in half. If you’re lucky you’ll will use 40 Mhz wide channels, cutting that four-fold. Then take off another 40% for layer 2 overhead and you get roughly 500 Mbps at half duplex on the wire. Maybe a gigabit with 80 Mhz channel width and absolutely ideal conditions that don’t exist outside of the lab.

Even if you have room for 160 Mhz wide channels, which might be possible if the FCC expands 5 Ghz unlicensed spectrum and then client adapters are updated to support those new channels, what is it that clients are using that calls > 1 Gbps of throughput? Remember that Wi-Fi is access layer technology. What applications are you supporting today or anytime in the foreseeable future that call for > 1 Gbps to a small group of clients?

Probably nothing coming over a WAN link. That leaves LAN applications. The list of potential applications provided by the NBASE-T Alliance doesn’t establish the need very well. Security cameras and signage systems?

It’s hard to think of many scenarios where it will be necessary to provide > 1 Gbps of throughput at the access layer. I can’t think of any of those that wouldn’t be better served by a wired solution.

Point to point Wi-Fi links in the distribution layer could benefit from NBASE-T, but how short must those links be to support 256 QAM, and is 8 spatial streams really possible outdoors with limited multipath? I don’t know the answers to those questions, but I don’t imagine that many locations exist that need > 1 Gbps of throughput that haven’t already provided that with fiber. We’re talking serious edge cases here, not typical enterprise Wi-Fi.

In any event, despite the hype, it will be a long time before the need for > 1 Gbps switchports extends outside of the network core and distribution layers.

WLAN vendors have an important decision to make here. Because 802.11ac appears to be the major justification for NBASE-T switches, I imagine they are under a lot of pressure right now. To get real interest in these new NBASE-T switches,  AP’s will have to be built with NBASE-T interfaces that use the faster speeds. I assume that those interfaces will be more expensive than standard gigabit interfaces. Given that NBASE-T supports 10 Gbps I bet they will be a whole lot more expensive than the gigabit interfaces used today. Just a guess though. Time will tell what this stuff really costs.

Will WLAN vendors become accessories to this marketing crime and include these potentially expensive interfaces in their Wave 2 AP’s? Aruba and Ruckus recently joined Cisco in the NBASE-T Alliance. We’ll have to wait and see their plans for the technology.

I hope that 802.11ac Wave 2 enterprise AP’s are still made with standard gigabit interfaces. Speciality AP’s like those used in point to point links could benefit from multigigabit interfaces, but the AP’s that are sold by the dozens for typical enterprise purposes do not. The added cost of an underutilized NBASE-T interface is not justified by real world needs.

Perhaps the usual product cycle will repeat itself. The first Wave 2 AP’s will have the highest end hardware and NBASE-T interfaces. Then the mid- and low-range AP’s that follow and actually get sold will have gigabit interfaces.

Whatever the case, it’s going to be interesting to see how the marketing hype about 802.11ac Wave 2 evolves as more people get clued in to its real world performance.