A secure public wireless LAN access technique that supports walk-up users

Next-generation wireless LAN security techniques will be based on 802.1x and 802.11i/WPA standards, which mandate mutual authentication and air traffic encryption using per-user per-session keys. These requirements seem to be incompatible with supporting walk-up users (first-time users or one-time users), an important business strategy for public wireless LAN operators. This is because mutual authentication often requires a user to share a secret with an authentication server, but a walk-up user does not have a shared secret established in the public wireless LAN operator´s authentication database yet. This paper proposes a secure public wireless LAN access technique to solve the above problem. It supports mutual authentication and air traffic encryption using per-user per-session keys for both registered users and walk-up users. Its authentication process consists of 802.1x/PEAP authentication and browser-based authentication. A registered user passing the 802.1x/PEAP authentication will skip the browser-based authentication. A walk-up user can pass the 802.1x/PEAP authentication using a wild-card username and password, but must then go through the browser-based authentication by either subscribing the public wireless LAN service or paying for it online. As soon as the 802.1x/PEAP authentication is passed, a per-user per-session key is generated and is used to encrypt the user´s air traffic based on 802.11i/WPA The system architecture of a public wireless LAN employing this technique is also described.