How not to offer Guest Wi-Fi

Reading Time: 3 minutes

Nearly all men can stand adversity, but if you want to test a man's character, give him a horrible internet connection.

– Loosely based on a quote by Abraham Lincoln

 

Some jobs are worse than others. Some environments are more toxic than others. Some things can just annoy the heck out of you. On the top of my list of annoyances is definitely horrible Internet access at customers.

I won’t go into the details, but this customer had decided not to provide me with a workstation, user account or regular network connection, yet wanted me to completely overhaul their Active Directory. Communication was solely possible using mail or SharePoint, since their workstation only allowed a specific type of USB-devices.
You could call it a highly-secure environment.

In this scenario, an Internet connection is key for exchanging information. Luckily, guest Wi-Fi was offered. Every day, at the reception I could ask for a standardized piece of paper with a 12h passcode.

The passcode system was a horrible experience. Here’s why:

  • The Wi-Fi network itself had a WPA2 key. This adds secondary security, but since the signal is also receivable from the parking lot, the network is heavily used and the WPA2 key was never changed, it adds almost zero security. Yet, it resulted in numerous It’s taking longer to connect messages when reconnecting.
  • The Wi-Fi network issued an authentication portal. Good. Microsoft Internet Explorer’s default page wasn’t treated as a page were you’d be welcomed with the authentication portal, so after I successfully connected to the Wi-Fi network, I needed to enter a well-known, non-https URL in the address bar of my browser, before getting access to the authentication portal.

Note:
It appears this is a common issue with Cisco-powered guest networks. Horrible.

  • The Wi-Fi network issued an authentication portal. Good. Except for the fact that the portal used a self-signed or otherwise publicly untrusted SSL/TLS certificate that made me first have to click through my browser’s Are you sure you want to access this page? warning page. “How hard is it to issue a publicly trusted TLS certificate, right!?
  • The authentication portal allowed me to enter the passcode, consisting of a username and a password. Both values needed to be entered in the authentication portal and the portal did not allow copying or pasting from or to these two fields. Yet, the values one needs to enter to gain access, included characters beyond the word characters, heavily relying on keyboard lay-out. Without being able to see the entered password, or copy pasting it from the visible username field, this is a hassle with different keyboard lay-outs and Caps lock.
  • After the authentication page, a page with terms and conditions was shown. A radio button I accept was offered and a Continue button would then light up green. Every first time I accepted the terms and conditions and hit the Continue button, I was redirected back to the authentication page, where subsequent authentications and acceptances of the terms worked flawlessly. Being taught to read the terms and conditions, this took quite some time. Having employees tell you that the second time you accept, you give away your soul wasn’t helpful either.
  • After clearing the authentication portal, the browser would always be redirected to the customer’s website. After all the hassle it took to enter an address they accepted as a valid target, after seeing it being carried through the authentication portal in the url string, it just gets chopped off at the end. I guess it’s one way to improve your Alexa scores…
  • Every two hours, the session would expire. Sometimes the authenticated session would expire. At other times the IPv4 address lease would expire. It would not pop-up anywhere, the networking connection would just show up Limited. In the middle of an Outlook Sync, in the middle of a down- or upload.
  • When the IPV4-address lease would break, I could not simply disconnect and reconnect the Wi-Fi network. I needed to either restart my (Windows-based) device (which did not always work) or temporarily connect to a different network.
  • Wi-Fi band 1 was actively blocked. This is the default band for most phones, including my Windows Phone for Internet connection sharing. Tethering was not an option, and connecting to it as an alternative network only worked every once in a while.
  • Yes, this Wi-Fi only offered IPv4 addressing. No IPv6, although the Internet provider, providing the actual bandwidth and such, advertises with the fact that they offer IPv6 now.
  • The piece of paper did not include any support information. There was no-one to share my issues with or find a better solution. The customer had an incident report system, but since I didn’t have an account, I couldn’t log any incidents of support questions for my situation…

Going through this process several times for roughly 40 working days, eventually added up to me wanting to punch someone in the face.

Please, if you provide Guest Wi-Fi, make it a less horrible experience as depicted above.

Thank you.

Posted on February 20, 2017 by Sander Berkouwer in Personal

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.