On 06/06/2014 02:06 AM, Gaudenz Steinlin wrote: > Benjamin Kerensa <bkerensa@gmail.com> writes: > >>>> - they will not allow us to set up unauthenticated bridged wifi to their >>>> wired network since this exposes campus services to the outside world. >>> >>> What does "unauthenticated" mean here? Are APs with a shared WPA passphrase >>> sufficient? (This is what we've used in the past for DebConf.) If they're >>> going to allow us to run our own switches, I don't see any significant >>> difference between this, and WPA-PSK-secured wifi. OTOH, if we have to >>> accept a captive portal on the wifi, I'm not sure that's a blocker (even if >>> it doesn't make sense to me) as long as we have wired ports available. >>> >>>> Do we _need_ to not have a captive portal on the wifi? If so, why? >>> >>> TTBOMK no, but don't take my word as authoritative. >> >> One thing to consider is their captive portal authentication can takes >> several minutes in the best circumstances. Last time I used their >> captive portal it took about ten minutes to receive the verification >> code. > > How does this captive portal work exactly? What kind of verification > code is needed. Of all the restrictions I think the captive portal is > the most problematic. But it depends on how exactly this portal works. > If it's setup in a way that all participants can use it without giving > away excessive private information and if it works reliably (ie does not > cut active connections after some time like many of these portals do), > then it might be acceptable. > > If the verification code is sent by SMS I think this is not acceptable. > If not for privacy reasons for the simple reason that it might not work > with international phones. If it just needs email verification this > might be acceptable at least if it also works with throw away addresses. > > The other points are less of a problem IMO at least if the network > provided is done well. In this case I agree with Gunnar that it's > actually an advantage that we don't have to care about it. The portal requires redirection to a web page where you type in your name, agree not to do bad things on their network, and then choose whether you'd like the code via SMS or email. If you opt for email, then it give you a window of 10 minutes during which at least a few ports (I'm not sure which all) are open and DNS works; I've been able to check my email over IMAPS from my mail client of choice. After that, the connectivity seems fine, although it wasn't particularly speedy during the summit hacking meeting. I'd say that a mirror is a must. For the on-site meetings at PSU, I have tried both and not had any real problems (but I know others have). I haven't had problems with the lag - I normally get my authorization by the time I check for it. I certainly agree that it's not ideal, but I think the concerns about device density to be concerning. Hopefully PSU has some hard data about what they can handle in this regard. tony
Attachment:
signature.asc
Description: OpenPGP digital signature