Open Infrastructure
A Wireless Network Research Framework
for Residential Networks
SNEAP Architecture
SNEAP - A Social Network-Enabled EAP Authentication Method for WiFi Hotspots

Motivations

Mobile users have ever increasing demand for ubiquitous network access. To fulfill such demand, ISPs have to increase their base station density, resulting in significant cost. WiFi, being now commonplace, can be turned to a ready-to-use infrastructure. Apart from WiFi hotspots deployed by ISPs, home users start showing interest in sharing bandwidth with others.

However, today's WiFi hotspots, whether commercial or home WiFi shared (e.g. Fon) have the following drawbacks:

  • Unsecured hotspots: All commercial hotspots are NOT password-secured, due to the difficulty of distributing WiFi WPA keys in advance. However, this poses potential security threat to end users while they browsing through the open WiFi hotspots.
  • Isolated user base, which sets obstacle for ubiquitous WiFi access, and makes access control a hassel.
  • Social Networks provide a large scale, well established, ready-to-use social graph, and has high penetration in users' daily life. This makes social networks an attractive candidate for authentication services.

    Our Social Network-Enabled EAP method (SNEAP) integrates the authentication services in social networks with the widely-adopted EAP framework. In addition, the extensibility of EAP and our software-based solution allow easy incremental deployment, and our chosen platform offers broad hardware compatibility.

    SNEAP AP Registration Flow
    SNEAP Client-AP Authentication Flow

    Our goals & challenges:

  • Secured WiFi hotspots leveraging prominent social networking sites.
  • Easy setup for both AP owners and Clients
  • Backward-compatible authentication method
  • Privacy-preserving between AP owner and AP guest users
  • Software-based solution allows easy incremental deployment
  • SNEAP Solution Overview

    SNEAP is a complete software solution, and its prototype uses the Facebook API. SNEAP mainly consists of three components:

  • wpa-supplicant integrated with SNEAP module running on end user devices, e.g. PC and mobile phones;
  • SNEAP-enabled hostapd running on WiFi access points;
  • SNEAP-enabled FreeRadius server, which communicates with social networks for authentication operations.
  • Step 1. SNEAP AP Registration

    We developed an Ajax application running inside AP's web admin interface, allowing owner to register his/her WiFi AP to our SNEAP Facebook application. Once authenticated, Facebook forwards the AP owner's Facebook ID and authentication token to our SNEAP radius server to finish the SNEAP AP registration process.

    Step 2. SNEAP Client-AP Authentication

    The SNEAP-enabled WPA-supplicant software first associates with the SNEAP AP, and carries out the one-way authentication with the SNEAP radius server. In this process, a TLS tunnel is established between client and AP, and therefore all the communication from this point onwards is secured. Also, the radius server notifies the AP to issue just enough Internet access for this client to complete the rest of the authentication operations. Next, the client authenticates with our SNEAP Facebook application. Once authenticated, the client will obtain an authentication token from Facebook, and forward the token to our radius server. Upon receiving the authentication token, the SNEAP radius server will carry out friendship verification for the client and the AP owner using the Facebook API. Lastly, the SNEAP radius server notifies the SNEAP AP to issue the full Internet access for the successfully authenticated SNEAP client.

    SNEAP Prototype Screenshots

    SNEAP AP Registration

    SNEAP AP Web Admin Page
    SNEAP AP Admin Facebook App Authentication Page
    SNEAP AP Registration Done

    SNEAP Client

    SNEAP WPA-Supplicant
    After one-way authentication with SNEAP radius server,
    the supplicant pops up browser for Facebook authentication
    SNEAP Client Facebook App. Authentication
    SNEAP Client Authentication Done