Dual stack hotspot/captive portal
Tim Chown
tjc at ecs.soton.ac.uk
Thu Feb 24 12:24:34 CET 2011
On 24 Feb 2011, at 05:12, Christian Kuhtz wrote:
>
> If you want last mile protection, nothing other than 802.1x or IPSEC tunnel to start encryption will do. And maybe Hotspot 2.0 will make that more palatable in the not too distant future. That is at least what you can probably expect from the carrier community on this point -- and another topic altogether that has nothing to do with IPv6.
Well, eduroam is working at hundreds of sites now using 802.1X; indeed you can't use captive portals to be part of eduroam. The support in Windows, Mac OS X and other platforms for the supplicant has improved a lot of late, as has support for the better encryption standards. May not be as applicable to some scenarios where web redirect is currently used, but it's a lot more viable than it was 3 or 4 years ago. And the IPv6 win is that 802.1X is agnostic to IP version. You don't have to use a web app first to authenticate, and you don't assign (waste) IPs on devices that can't authenticate.
One of the issues with DHCPv6 is its default use of DUID which can make pre-provisioned linking of DHCP address to MAC address trickier. I believe you can instead use a DUID variant based on MAC address rather than the DUID that's randomly generated. Would be interested in any experiences others have had in that, though it's getting a bit off topic :)
Tim
More information about the ipv6-ops
mailing list