Internet access isn’t a luxury; it’s a necessity. It’s how people find work, get an education, interact with their government. That’s one of the reasons why cities are investing in public Wi-Fi networks. Dozens of cities have already done so to help everyone from under-served citizens to tourists.
But providing Wi-Fi isn’t as simple as turning on a hotspot. How you let people connect affects your network’s security and usability, and failing to take certain precautions could even put you afoul of certain federal regulations. Below, you’ll find a valuable primer from Council Lead Partner Ruckus Wireless, which explains the ins and outs of various Wi-Fi connection options. — Kevin Ebi
By Ruckus Wireless
Today’s Wi-Fi user experience is familiar to millions of end users worldwide. In most cases though, it requires end users to self-select an SSID and go through a captive portal experience before getting connected. This extra step of self-selecting and then going through a captive portal can reduce Wi-Fi usage, and the value of the Wi-Fi network. To provide the best user experience, it’s imperative to understand the tradeoffs between the different authentication options. Below is a recap of the various authentication options and some benefits and drawbacks.
- Open Network: In an open network, the Wi-Fi is configured with one or more open, unsecured SSIDs. Any end user can simply connect to the SSID and have full network access. While this is a low cost, easy to deploy solution, it has several drawbacks. Most importantly, the city has no idea who is on their network which is illegal in some countries. In addition, open networks do not encrypt end-user traffic so they are less secure. This is the simplest but least secure option.
- Captive Portal Authentication: this is another form of open network except that the city or network operator requires some form of end-user authentication. This could be a social network identification (i.e. Facebook), a credit card or some other form of authentication. Authenticating can be useful to know who is on the network for marketing or outreach campaigns. However, authentication does not provide encryption so it is one step better than open network but still lacks end-user security.
- 802.1x: 802.1x adds a layer of security that authenticates the end-user and establishes a tunnel from the end user to the wireless access point. The end-user must authenticate before they are allowed any network access. Traffic from each end user can be directed to specific VLANs based on their user-or group-specific policies. 802.1x is a proven and widely deployed solution, but it can require additional infrastructure and is more complex for the end-user and network management.
- PKI Certificates: PKI (Public Key Infrastructure) certificates are the gold standard for network security and provide a fully automated and secure connection. Industry standard x.509 PKI certificates uniquely identify end users and devices. Solutions such as Ruckus CloudPath Enrollment System utilize PKI certificates to authenticate devices with automatic network re-connection in the future. In addition, network managers can control access privileges and the duration of the certificate using back-end policy management tools. PKI certificate authentication provides a great user experience with a high level of security.
- Hotspot 2.0: is an industry-standard approach that promises to make Wi-Fi roaming seamless, like today’s mobile phone roaming. It leverages the benefits of the PKI Certificate model but adds seamless Wi-Fi roaming across participating networks. Hotspot 2.0 focuses on enabling back-end roaming relationships so that a known end-user can connect automatically on new networks with approved terms of service. Hotspot 2.0 is a combination of the best user experience and highest security, all in one authentication model.
Cities and operators have multiple Wi-Fi authentication options to choose from. They need to understand the tradeoffs and choose the one that best meets their needs.