iBahn says that they're the first hospitality operator to put 802.1X across their network: iBahn's approach is, by the way, not "WPA" but WPA Enterprise. WPA Enterprise uses 802.1X to allow unique logins that are assigned unique encryption keys. The company didn't want to say WPA Enterprise when I interviewed them in July because it's a little unwieldly. T-Mobile's head and iBahn both agree that a better rubric is needed to make 802.1X and WPA Enterprise more understandable in the way that Wi-Fi signifies so much, so clearly.
iBahn spent a million dollars upgrading their network. I know that T-Mobile's costs were lower because their gear already supported multiple virtual SSIDs on the same AP; iBahn needed to swap out early gear, it seems. They operate 900 hotspots with up to 80 access points in each location as they serve the hotel market.
This line in the story doesn't make sense to me: "WPA, and its successor WPA2, distribute different keys to individual users, and will also shut down if an attack is detected." First, as noted above, this is WPA and WPA2 Enterprise, but this isn't an integral part of the standard. Perhaps iBahn is running intrusion-detection software?
Update: See comment below on WPA's attack detection. This is a pretty simple protection, but it's designed to catch spoofed frames; it's not robust intrusion detection.
I think the situation is this: At the time T-Mobile made its announcement about rolling out 802.1X to all of its hotspots, some were not actually rolled out and you couldn't get 8021.X at all of them at that time. It has understandably taken some time for all of them to offer 802.1X.
What iBahn is saying is that they are first to have 802.1X operational at all their hotspots.
Stephen Cobb, CISSP
(ex-iBahn employee no longer affiliated with iBahn)
?WPA, and its successor WPA2, distribute different keys to individual users, and will also shut down if an attack is detected.?
A quick (approximate) explanation:
WPA = TKIP
WPA2 = TKIP + AES
Personal = hard configured master keys
Enterprise = central radius server
So you can have WPA Enterprise, WPA2 Enterprise, WPA Personal, and WPA2 Personal.
In every variant, the master key isn't used directly - a new set of session keys are derived from it for each user, and these are what get used. So every user gets their own keys, whatever the variant.
However... If you know what the master key was, you can work out the session keys for any other user on the network.
From a hotspot perspective the WPA/WPA2 issue is simply a matter of how strong the encryption standard used is. Both are pretty strong, but TKIP is slightly weaker, and hence has to take the slightly extreme measure of closing down communication for 60 seconds when attacked. It sounds like the "intrusion detection" feature is an attempt to sell what is to be honest a limitation in TKIP as a sales advantage.
Back to Personal/Enterprise from a hot spot perspective.
An operator could use Personal and a single master key for all users. The down side is that (a) any legal user can crack the session keys of any other legal user - see above, and (b) if anyone publishes the key on the internet you have to reprogram all APs and all users. Hence this option is not very likely.
Secondly, you could use Personal with a different master key for each user. This avoids all the downsides of the previous solution, but does mean that you have to program all the user master keys into every AP. A lot of work...
Of course the sensible thing would be to have all the master keys kept in a central server so you only have to update things in one place, and have the APs ask for them when they needed them. And even better if you used a standard protocol (such as Radius) to do so. Congratulations - you've just invented "Enterprise"!
So from a practical perspective, I can't imagine any hotspot operator with more than a single AP running anything other than Enterprise. So there really isn't any point in any hot spot operator marketing the Enterprise/Personal distinction - the WPA/WPA2 distinction is the important one.