OpenID WiFi

Category: Applications    Posted: Friday, June 8th, 2007 at 5:54 am by david

With the newest release of CoovaAP, some new features in Chilli are demonstrated in combination with RADIUS to allow OpenID based authentication. If you are not yet familiar with OpenID, it is a distributed authentication protocol whereby you use a URL for your identity. This URL might be your LiveJournal page, from your MyOpenID account, or any page you desire. Once logged in, your federated identity is valid across many websites. Now it can be used for WiFi access too.

openid-login.jpg

Above is the OpenID login form in CoovaAP’s embedded captive portal. Instead of a traditional username and password, the user’s OpenID URL is entered. When the form is submitted, the OpenID is sent to the RADIUS server (as a username). The RADIUS server, knowing that OpenID was turned on in access point (see below), will discover the OpenID authentication server for this URL and update the user’s (session specific) walled garden before redirecting the user to their OpenID server to log in and grant permission (trust) to Coova.org.

To give an example, I signed up with LiveJournal and configured my personal home page with the following HTML:

<html>
<head>
<link rel="openid.server"
  href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate"
  href="http://wlanmac.livejournal.com/">
...

This will allow me to use my own URL while actually using my LiveJournal identity to log in everywhere. Now, when I log in to the captive portal with my homepage URL, I get authenticated at LiveJournal. Here’s a sample of what their confirmation page looks like after logging in, if not already.

openid-live.jpg

Once permission is granted for this “calling” URL, in this case at coova.org, you are redirected back and logged in to the access point.

Using OpenID with Coova

openid-config.jpgCoovaAP version beta-1.5 or newer is required for this setup. The HotSpot RADIUS settings must also be configured (as per default) to coova.org. If you have a CoovaAAA account, then use those RADIUS settings. Otherwise, the “coova-anonymous” shared secret can be used.

Using the web interface, configure the HotSpot RADIUS settings making sure Allow OpenID Authentication is Enabled, as shown here. On this same screen, you can now also configure the default session time and idle timeout - to be used when not otherwise set by RADIUS. Save and apply your changes.

With OpenID enabled and using the internal captive portal, a link to the OpenID login form is placed in the default login page. The templates for these pages can be customized in HotSpot / Portal of the web admin.

If you are using your CoovaAAA RADIUS settings, then you will see OpenID sessions, along with everything else.

coovaaaa.jpg

Well, that’s it! Enjoy… and let us know how it goes.

Comments RSS: RSS 2.0
You can leave a response, or trackback from your own site.

2 Responses to “OpenID WiFi”

  1. Chris Hills Says:
    May 4th, 2008 at 7:15 am

    This is a great solution which I hope to implement soon. I have one question though. Will I able to log-in when I need to visit my OpenID provider’s website directly in order to authenticate? I choose not to permit logging into my OpenID account through referrals as it makes it more secure.

  2. david Says:
    May 17th, 2008 at 1:01 am

    Yes, you go to your provider’s website to authenticate. This is allowed by the access controller by it adding a per-session “walled garden” entry for your OpenID provider. This kind of dynamic walled garden is a feature of CoovaChilli.

Leave a Reply

Search >>