[Captive-portals] Questions about PvD/API

Subject: [Captive-portals] Questions about PvD/API

Date: Wed, 2 Aug 2017 10:36:06 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/8mvHe0_M2Np8kvZ-dcRM3i-qMhQ>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=tqlQMBMe60c2AkvwJ6vUu/rD2aTdcErzHb3A0kPksdU=; b=d44q3gWfNnpR/vNzHOXE5H0fdblECmUJdqbfWjEMDUEdZhUfzmO+Da8KTBM8n8Fjd/ FZjgJeTu78De27ailqVudK0szOwXDlu8ZCoPM7mMriAzG4ofDy1BnLDlqoG8woBV3ei8 WPYq6757GthfiyjcKDNf2GWV5V7EKBorE8qbTivvuy63xbLPq8jyN+5nfihebYLRDKtK n3z4AQ7zKEx9mjuztNhwGlzb46O8umqWUFLPamQi/PmlSqF2q8lC5ADcDR8bZ42KdWMR V/s9Wid2et6a8LBAAu9Ofys7vG1+5fFaVxk8Eg3JRxYfHpfMHdbYam1qryx0RAjwpF9m 56PA==

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

Could an author of PvD help me understand the following questions for each of the diagrams below I found on the Internet -- which represent some typical hotspot configurations out there...

- Where would the API reside?

- Who 'owns' the API?

- How does the API keep in-sync with the NAS? Who's responsible for that (possibly multi-vendor, multi-AAA) integration?

1) Typical Hotspot service company outsourcing: http://cloudessa.com/wp-content/uploads/2013/08/shema-CaptivePortalSolution_beta2b.png

2) Same as above, except venue owns portal: http://cloudessa.com/wp-content/uploads/2013/07/solutions_hotspots-co-working-cloudessa_2p1.png

3) Now consider the above, but the venue has more roaming partners and multi-realm RADIUS setup in their Cisco NAS: http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html describes many options -- including separate MAC authentication sources, optional portals for 802.1x (RADIUS) authenticated users, and so much more...

"Cisco ISE supports internal and external identity sources. Both sources can be used as an authentication source for sponsor-user and guest-user authentication."

Also note this interesting article: the section Information About Captive Bypassing and how it describes how to avoid Apple captive portal detection!!! "If no response is received, then the Internet access is assumed to be blocked by the captive portal and Apple’s Captive Network Assistant (CNA) auto-launches the pseudo-browser to request portal login in a controlled window. The CNA may break when redirecting to an ISE captive portal. The controller prevents this pseudo-browser from popping up."