• Redirect all traffic to authentication site (usually AP)

• Authenticate user, do billing

• (optionally?) encrypt all traffic

• Stop redirecting user (redir over proxy instead)

• De-authenticate when EO$

• Redirection to authentication server is vulnerable to MITM

• AP can be spoofed by malicious user

Notes: