verkkovieras.fi -- making enterprise Wi-Fi authentication easy

verkkovieras.fi for simple and secure federated Wi-Fi authentication

security by David Bleasdale

Verkkovieras is a Finnish word, which means network guest. Verkkovieras.fi is our cloud authentication service for organisation’s employee and guest network access control. The service also supports authentication roaming federations such as eduroam and roam.fi making the service an easy way to deploy and serve federated network access for employees, guests and partners.

We know that maintaining user databases and RADIUS servers for employee and guest access can be difficult, especially when there’s additional complexity such as federated roaming. With verkkovieras.fi we focused in building a service, which is easy to deploy and easy to use. We thought, designed, thought some more and improved our design to be as clean and clear as possible.

Easily deployed in any Wi-Fi network

To deploy verkkovieras.fi authenticaton service you only need RADIUS capable authenticated devices such as for example almost all Wi-Fi controllers and access points. The authenticating device, usually the Wi-Fi controller, needs to be able to communicate with our cloud based servers in Internet and that’s it -- only our server details and Wi-Fi networks need to be configured in the controller.

User account registration as easy as email

verkkovieras.fi registration screen in Finnish

Employees manage their user accounts themselves by requesting them from WWW page and after simple email-www page confirmation they activate their email address based user account. Account’s username is their email address and password is randomly generated string. We wanted to make sure that the network password is secure and on the other hand create a separate user account for network access. This was to keep more important or sensitive passwords such as Active Directory or other service passwords separate and safe. This way the employee cannot undermine the security by changing password to less secure or more sensitive one.

Federated roaming with a flick of a switch

Roaming federations and federated user access is even simpler, just select which federations and to activate or deactivate it. Your employees or visiting roaming guests are then able to roam free within federations and networks with same profiles they use for network access in your home network.

Easy guest user access or traditional vouchers -- you choose

Howard Lake: Sainsburys Active Kids vouchers

For guest user access there are two options, a simple time-limited guest user account for automated access and possibility to create and print more traditional time-limited guest user accounts before hand. Automated access means that the user account can be integrated for example with WWW page based authentication to provide guest short Internet access with just a click of a button on the authentication page. The traditional guest user accounts can be used like vouchers, the username and password must be entered on the authentication page or system dialog to get the access to network.

All this as a cloud service, ready to be deployed today

verkkovieras.fi architecture

We packaged all this in a redundant Amazon cloud based service distributed across two geographical regions, where we handle the difficult details such as scaling, server certificates, EAP methods (EAP-PEAP, EAP-TTLS, EAP-PWD) leaving you as a customer time to focus to your business and core functions.

If you are interested, contact Arch Red sales ( sales <at> archred.com ) for more details.

There is no Free Wi-Fi, but there can be Sustainable Wi-Fi

Today Engadget reported that Free WiFi provider admits to making up 90 percent of its revenues. The company, Gowex, runs networks in 85 cities around the world (according to company WWW pages) offices in Madrid, Paris, London, Buenos Aires and Shanghai. The company claimed that it had developed a sustainable business model for free Wi-Fi based on the idea that company makes its revenues from partnerships with local governments, carriers with Wi-Fi offloading and from premium fees (i.e. selling premium user accounts).

Some may view this as a proof that Gowex's business idea and model did not work, but I would not claim that without looking into if they managed to get any revenues at all. Running company badly and falsifying revenues and accounting are very different things from the actual business idea and model not working.  I actually think that those ideas from where Gowex planned to get revenues are valid ones and they seem to have made real roaming deals with roaming brokers such as iPass, Boingo etc. These revenues could then be used to subsidise the service costs of running WiFi networks or related services, but naturally the company should get more revenues from the service it provides than the costs of producing it. And that is actually why I do not believe Free Wi-Fi exists.



The Free Wi-Fi is an illusion for consumers. Somebody always ends up with the bill. It may be the company, organisation or city providing or buying the Free Wi-Fi service out of hospitability. It may be an airport or a shopping mall deploying or buying a service for tracking customer movements or web surfing, but like many other free Internet services, Free Wi-Fi is not really free. You as a consumer may think that with Free Wi-Fi that you are still customer, but the reality is that the one providing and paying for Free Wi-Fi service, needs to get enough benefits and/or revenue from providing the free service to you and their benefit maybe the data about you.

Where Gowex was on a right is that providing Wi-Fi for free needs to be sustainable. The Wi-Fi network service needs to provide so much benefits for the one paying for it, that the payer is willing to cover the costs of running, maintaining and developing the network. Too often in many hospitability guest networks (hotel/conference Wi-Fi, company guest Wi-Fi) the deployed network may serve its users when it was first deployed, but the development of it (Internet bandwidth capacity, better radios) is neglected until enough users are complaining about it. In city-wide Wi-Fi networks similar kind of problems occur, when city-wide Wi-Fi is setup with development project money from government or EU without any plan how to cover the costs after the development project has ended.

Sustainable Wi-Fi networks should be planned so that they can be maintained and even developed with the revenues coming from organisations and companies benefitting from the network service, or from something measurable the network provides. There even exists a successful example of this kind of sustainable global Wi-Fi network concept -- eduroam (*).

In eduroam, universities, research institutions, government organisations and even cities have seen the benefits of joining their existing Wi-Fi networks via federated RADIUS authentication and providing this way a free Wi-Fi around the world for researchers, teachers and students. Every organisation deploys, maintains and develops their own network service with their own funding and shares it with the other eduroam organisations. There is no single vendor, service provider or organisation controlling anything. Instead, every vendor, service provider or organisation which is ready to fulfil the open requirements and standard interfaces is welcome to join or provide equipment or services to other eduroam organisations. There are not a lot of revenues or profits moved around, just normal network and authentication business for companies, but the benefits are clear for participants to justify the costs of basically running the Wi-Fi networks, which they are going to do anyway.

eduroam is real, sustainable Wi-Fi and I am hoping that we (Arch Red and Open System Consultants) may help in bringing its benefits also to wider audience in a very near future. eduroam itself still limits its use to universities and research organisations and networks and cannot unfortunately yet be used as a common global concept to provide sustainable Wi-Fi for all.



* eduroam is a registered trademark of TERENA. Arch Red and Open System Consultants are independent of TERENA".