The Greenpass prototype uses an Access Point which is configured to broadcast two SSIDs. One SSID is for the protected network and is configured to require 802.1x authentication. The second SSID is configured as an open network which requires no authentication. The open network however redirects all traffic to the Greenpass delegation server.
A switch that supports VLANs is configured to define two VLANs implementing the protected subnet and the open subnet. The Access Point sends traffic from clients connected to each SSID to the corresponding VLAN.
A router connects the protected subnet defined by the router and the switch's VLAN to the rest of the campus network. Traffic is passed to the main network only from the protected subnet and NOT the open subnet.
The "open" network provides DHCP service so clients can optain an IP address and connect to the delegation server. A DNS server is also running on the "open" network and redirects all IP Name requests to the address of the delegation server. The delegation web server serves the application which allows guests to introduce themselves with an existing X.509 private key. The Greenpass Guest Certificate Authority will accept certificate signing requests from a web browser and return X.509 certificates for clients that do not already have an X.509 key pair. The X.509 certificate is only used to transport the user's public key through the standard SSL protocol.
Software supporting 802.1x authentication is provided by current operating systems like Windows XP (SP1) and 2000 (SP4) or Mac OS X 10.3. It can be added to other operating systems like Linux (eg. xsupplicant) and possibly older Windows or Mac computers with open source or 3rd party software (eg. MeetingHouse is one such source).