[c-nsp] iphone, Cisco AP/WLC & web-auth

Jared Mauch jared at puck.nether.net
Tue Aug 7 17:58:03 EDT 2007 

On Sat, Aug 04, 2007 at 04:20:13AM +0200, Joerg Mayer wrote:
> On Fri, Aug 03, 2007 at 02:56:14PM -0400, Jared Mauch wrote:
> > This sounds like an excuse for poor design on ciscos part. I have seen  
> > numerous "web" portal auth systems for hotels, conferences and other  
> > venues. When my laptop goes to sleep or needs to re auth I may get a  
> > brief web redirect but other activity such as ssh and IMAP do not get  
> > blocked. I would hope that folks start tuning their networks to not  
> > annoy those PDA and iPhone users just to save a small bit of state  
> > memory or disk space.
> 
> I'm not sure I can follow you here. When a wireless device goes to sleep
> it can do so only if the AP allows it to do so. It is also required to
> wake up every so often to pick up its traffic. The AP tells the device
> how often (how many beacon intervals) that will be. If the device wakes
> up late, then it will loose (miss) the data. And the behaviour of the
> AP looks perfectly OK to me because the AP will delay not only sending
> the unicast traffic destined to that device but also all multicast/
> broadcast traffic. So, figuratively speaking think of a school bus:
> If the driver would wait for people who overslept then everyone would
> be late.


        I think you are missing what i'm attempting to say :)

        when any device (be it iPhone, laptop, etc.. ) goes away from
the wireless network for whatever reason (power save, turned off, etc..)
if it returns in a period of time (eg: most hotels purge their authentication
at noon) the host can continue to have access to the network.  It sounds like
there is a problem with a lot of folks networks when handling stations     
that are in this state.  Some places redirect web briefly to say "welcome 
back", and then pass along the original url, while still allowing ssh,
imap, imaps, smtp-submit(587) without punting to some lame "the http is
the internet, right?" access page.  If I'm on a campus and have authenticated
with their wireless, and move rooms or buildings (while sleeping my laptop
between) it should not block my access for a "reasonable" amount of time.

	What that amount of time is, I think may be up for debate.  Sould it
be 5 minutes?  an hour?  6 hours?  Honestly, I think after 1-2 hours of
"idle" time would be reasonable to punt someone.

	now, take the iPhone as an example.  It's not a pr0n^WWeb Browser.
You can set it to pop/imap your mail automatically once an hour to
periodically download your latest mails.  When it "wakes up" to update the
mail, it will try the 802.11 network before the EDGE(GPRS).  If
the network is lame and forgets the user after this "short" time period,
that is a design flaw, and either the network admins fault, or the vendor for
allowing them to set it so low.

	there's a number of networks that are poorly configured like this
and block valid activity like smtp-submit, imaps, etc.. because honestly
they're ignorant fools. :)

	If you've got a short timeout, you may need to fix it to solve issues
for these "roaming" users who are using legit protocols, and as always, the
"Web" is not the Internet.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list