About the ‘device wifi’ alpha
This page explains the ‘device wifi’ alpha that we ran in early 2020.
A few organisations took part. Device wifi is not currently available to organisations and we’re not progressing this at the moment (January 2021). We may do so in the future though.
Device wifi is also referred to as ‘certificate-based authentication’.
What is device wifi?
Currently, end users need to create their GovWifi account themselves by either:
- sending a blank email to us from a public sector email address
- sending a text message to us
- asking a public sector worker to email us with the end user’s email address
They then get sent credentials to sign in with.
With device wifi, the device connects to the internet using trusted certificates, instead of the person’s username and password.
The user need
Some organisations told us they needed devices to connect to the internet through certificates instead of credentials. They were already using workarounds to meet their needs.
To connect multiple managed devices to GovWifi quickly, staff members working in IT teams have used their own GovWifi usernames and passwords. This includes when they needed to:
- make sure lots of new people joining at once would have immediate access to the internet
- connect standalone devices, like printers, monitors or shared laptops
This means that the IT staff member’s GovWifi account details were associated to hundreds of devices. Any malicious internet activity on those devices would be attributed to them.
How it works
Certificate based authentication gives devices automatic access to GovWifi as long as they have a valid certificate issued by Public Key Infrastructure (PKI) trusted by GovWifi service. Organisations become trusted when their Certification Authority (CA) certificates are uploaded to the FreeRADIUS infrastructure.
- Organisations register on the GovWifi admin site.
- They set up the “GovWifi” SSID on their local network.
- They set up a “Certificate Authority” using a Public Key Infrastructure (PKI) software tool. This lets them sign certificates.
- Using their PKI, they can sign client certificates (certificates that will be used by any devices being connected to GovWifi).
- They give us their root/intermediate CA certificate used to sign these client certificates.
- Devices can now connect to the internet via GovWifi wherever GovWifi is offered. When connecting to GovWifi, EAP-TLS needs to be selected.
Where to find the code
The code for certificate authentication is in the govwifi-frontend repo.
The EAP-TLS is handled in FreeRADIUS.
There’s a root CA certificates folder in.
How to receive changes to root/intermediate CA certificates from organisations
Receiving changes to certificates would be a common task for developers if we supported device wifi.
Organisations send us their root/intermediate CA certificates. These are kept in
govwifi-build, in the encrypted file
passwords/certs/production/ca.pem.gpg. If an organisation wants to send us new certificates or delete existing ones, this file would need to be edited to add or remove them.
To edit this file, do this:
PASSWORD_STORE_DIR=<password_store_dir> pass edit passwords/certs/production/ca.pem
Once a change has been made to this file and it has been merged into the main branch, the Concourse pipeline
sync-frontend-certs gets triggered, which syncs the certificates to an S3 bucket which is read by the FreeRADIUS servers during initialisation.
This is only synced to staging automatically. Syncing to production must be triggered manually from Concourse, in order for any changes to take effect for production users.
Common issues with device wifi
We know that:
- device wifi is more difficult to set up and manage than the current GovWifi offer, especially for organisations with limited IT resource or using a Windows operating system
- some organisations do not know how certificate authentication works, specifically openSSL
- organisations may not know that certificates expire
- the time taken to receive certificates from organisations is much longer than anticipated
- organisations have to get security permissions and sign off from decision makers before they can send certificates
- organisations may send us CA certificates that either don’t have the full chain of trust or aren’t actually the CA certificates that signed the client certificates
- the process of receiving certificates by email and uploading them manually is time consuming
Find out more
You can read more about device wifi.