Rework Wi-Fi authentication
The current model for Wi-Fi (and Ethernet) authentication does not seem sustainable:
- New devices tend to use randomized MAC addresses,
- Users have always had a hard time understanding the concept of adding devices to their accounts,
- Passwords are stored in a format which is not ideal because of PEAP,
- The Wi-Fi authentication method is not compatible with "IoT" devices, printers, game consoles...
The following solutions have been considered:
- Switching to EAP-FAST/GTC, however it is not supported by Windows by default. Users would have to go into advanced options to turn it on, or we would have to provide a script to do it for them. Not user-friendly at all and would most likely add some time spent on support,
- Switching to EAP-TLS, compatible with Windows. It does not solve point 4 and is much more complicated for users than the current solution as they would have to install a certificate on each device,
- Switching to WPA2-PPSK (WPA2-Personal but with a different password for each user). It is not supported by Unifi and would require running a script on each AP after each update, and might break at some point,
- Keeping the current system but generating a unique "Wi-Fi password" on Re2o for the user, different from their login password. The user would login with their username and this unique password, and they would be able to reset it but not enter a custom password. This does not solve point 4, and is slightly more complicated than the current solution,
- Keeping the current system.
This issue is an open discussion to switch to the proposed solution 4. As it does not solve the points 1 and 2, another modification is also proposed:
The concept of MAC address could be entirely removed from Re2o. Right now, it is only used as an "anti-cheat" to limit the number of devices for a user in an attempt to prevent account-sharing. The idea would be to replace it with an anti-sharing system based on the Radius accounting features: limit an account's number of simultaneously connected devices (to the Wi-Fi only), e.g. 5 devices connected at the same time. If another device tries to connect, it would be rejected and possibly redirected to a captive portal explaining the reason.
These are not easy changes and each have benefits and drawbacks, but my belief is that getting rid of MAC addresses would be removing a huge thorn in our side. The switch to a Re2o-enforce password would probably be less of a life-changer, but it can be nice for security reasons. Unfortunately, issue 4 remains with the proposed solutions.