The GuestiFi solution addresses the problem of WiFi PSK sharing or leaking by assigning every device (MAC address) a set of username and password at a lower cost as compared to a full fledged WPA2 Enterprise. This solution is faster and easier to deploy, has a lower cost to maintain, and is thus a good option for small businesses or homes with higher security demands.
Several guest Wi-Fi solutions from companies like Datavalet (e.g. Starbucks), Cisco Systems and Aruba Networks use the combination of open Wi-Fi and captive portal (web authentication). Although users can be authenticated via a web portal before granted access to internet or LAN, data transmission is not secured.
WPA2 PSK, or WPA2 Personal, as the name suggests, is originally intended for personal use. It is not very secure of a solution for businesses or homes with higher security requirements due to the shareability of the single pre-shared key. The key can be extracted by users or malicious apps and shared with unintended parties. This can even be done on iOS platforms.
WPA2 Enterprise is a safer solution, as each user needs to have an account on the RADIUS server. However, it might not feasible in all scenarios for the host to create a set of credentials for every guest, especially at businesses with high-flow of guests.
There will be several modes of operation. One key per device for maximum security, or time-based password generation for better accessibility. Clients can scan QR codes generated based on the ISO/IEC 18004:2015: QR Code bar code symbology specification for easy login without having to enter the username and password manually.
- Controller generates new username and password
- Controller writes username and password into RADIUS database
- User logs in with username password
- Upon receiving authentication request
- Check if username and password matches
- Check if there's a MAC address associated with the credentials
- Yes: Check if MAC current MAC address matches the MAC address registered. If yes, permit login request
- No: If username and password matches and no MAC address is associated with the current authenticated account, permit login and associate credentials with current MAC address
- Controller rotates and generates a new set of credentials
- New cycle begins
- Controller generates new username and password via time-based password generator
- Controller writes username and password into RADIUS database
- User logs in with username password
- Upon receiving authentication request
- Check if username and password matches
- Check if there's a MAC address associated with the credentials
- Yes: Check if MAC current MAC address matches the MAC address registered. If yes, permit login request
- No: If username and password matches and no MAC address is associated with the current authenticated account, permit login and associate credentials with current MAC address
- Controller waits until the password timer expires, rotates and generates a new set of credentials
- New cycle begins
- Controller init CA
- Controller generate (Private Key, Public Key, CA Cert) bundle, send to client device
- Client device import certs
- Perform EAP-TLS auth
- Controller init CA
- Send cert template params (key length, algorithm) to client via side channel (iOS Configuration Profile)
- Client device generate (private key, CSR)
- Client device request certificate via SCEP server on Internet
- Perform EAP-TLS auth
- Better security
- WPA2 Enterprise provides significantly better security than PSK or plain portal
- No shared accounts
- GuestiFi credentials are harder to get shared
- Guest credentials can be set to expire
- One set of credentials may be corresponded to only one MAC address
- WiFi key sharing applications typically do not support WPA2 Enterprise
- Guests must have physical access to the kiosk to obtain valid credentials
- Low cost to deploy
- Only a Raspberry Pi and several APs that support RADIUS are needed
- Can fit right into current infrastructures as an addon
- Low operation cost
- No manual user creation process for guests
- There's no need to rotate the passwords manually
- Better manageability
- Provides the ability to log or invalidate individual devices
- Different usernames can be used to separate devices into different VLANs if supported by AP