Straight from Cisco’s Campus Network for High Availability Design Guide, L3 is superior because:
– Faster convergence around a link or node failure.
– Increased scalability because neighbor relationships and meshing are
reduced.
– More efficient bandwidth utilization.
From Cisco: Campus Network for High Availability Design Guide - Core Layer
These are all great reasons, but you won’t stand to benefit from any of them, as your setup doesn’t allow for it. If a packet arrives at your distribution node, it’s only going to have one node that it can go to next; your core which is using IRF. There isn’t a routing protocol that is going to be intelligent enough to determine that you have another (perhaps lower speed) connection combining your 2 cores. That additional hop is transparent and would require some manual intervention (somehow).
Personally, I don’t think it’s a good idea for you to virtualize your cores. Path determination is impossible, independent device operation is severed, and you completely eliminate the possibility of intelligent routing. All of those are critical to a well oiled network.
Though, you may have additional business requirements that dictate this design but aren't outlined above.
In the Cisco world, it's always been highly recommended to have layer
3 between distribution and core using a routing protocol.
This isn’t just the Cisco world, this is the Networking world overall. Network engineers work to eliminate STP in as many cases as possible because they know of the limitations it drags along with it. Routing to the access layer is recommended nowadays:
Consider EIGRP/Routing in the access layer.
A routing protocol like EIGRP, when properly tuned, can achieve
better convergence results than designs that rely on STP to resolve
convergence events. A routing protocol can even achieve better
convergence results than the time-tested L2/L3 boundary hierarchical
design. However, some additional complexity (uplink IP addressing and
subnetting) and loss of flexibility are associated with this design
alternative. Additionally, this option is not as widely deployed in
the field as the L2/L3 distribution layer boundary model.
From Cisco: Campus Network for High Availability Design Guide
- Access Layer Tuning
There used to be an idiom: “Switch where you can, Route where you must”. In recent times, that has been completely flipped on it’s head:
Route where you can, Switch where you must
Tons of enterprise switches support some level of routing now. We can’t stand behind ‘my device doesn’t support that’ because that’s not the case, anymore.
Is the practice of implementing a 'layer 3 distribution to core'
applicable today in the HP world when it's possible to have a highly
redundant layer 2 to the core without STP, using IRF?
Yes, it absolutely is. HP’s Intelligent Redundant Framework is just another system virtualization technology like Cisco’s StackWise and Juniper’s Virtual Chassis, just painted a different color and tagged with ‘the most disruptive technology in ages’. Every vendor will tout how much better theirs is than the competitor, but it’s not a game changer or anything to write home about.
Best Answer
Web authentication is really more of a means to limit/allow guest access on a clear network that requires no additional client configuration to connect. It is not meant as a way of providing secure access.
So, unless the client only uses encrypted sessions (HTTPS, SSH, SFTP, VPN, etc.), then they are far more secure using a PSK than web authentication.
Edit for the expanded question: Generally speaking a client connecting to the network in any means is not "capturing" any traffic in the air. Attackers capturing traffic will not be connected to the network.
If a client device is connected to a SSID that has no encryption, anyone in the area could "listen in" while there is data going to/from the client. Any of that data that is not encrypted by other means would be easily decoded by someone who wanted to do so. To be entirely clear, "L3 web authentication" provides no encryption. Specifically to answer your question, yes, anyone can capture traffic on an open/clear SSID using web authentication, whether they have a username/password or not making traffic like your example HTTP or print traffic vulnerable.
A PSK is not actually used to encrypt the data, rather it is used as a common frame of reference (or starting point) to allow to devices to negotiate the keying material used for encryption. Having the PSK will not allow you to decrypt the data. However, as BatchyX pointed out, if you have the PSK and capture the handshake, since you have the same "starting point" as the other device (i.e. the PSK), you will be able to get the keying material and decrypt any data using that keying material. This provides much less visibility for an outsider to capture data, as they would need both the PSK and the handshake to do so. One without the other will not suffice.
As for getting the PSK by capturing the handshake, this is a bit more involved, but can be done. Basically, this is a "brute force" type of attack where the attacker uses different PSK values against the handshake until they find one that allows them to understand the full handshake. Once they have this value, then they will be able to easily decrypt any other connection that they capture the handshake for as well. While this is a simplistic description, if you are using WPA2/AES without a "common", short, or dictionary PSK, know that this is very unlikely to occur.
If you wanted a better way of doing this without client certificates, then the most common one is 802.1X based WPA2-Enterprise using EAP-PEAP-MSCHAPv2. This only requires the server side certificate, but is a more involved process to configure the client (although this has gotten much better for many devices in the past couple of years) to authenticate against a RADIUS server. Not only does this make the keying material different for each user, but different for each session as well.
In your coffee shop scenario, I would recommend using WPA2-Enterprise SSID for "company" devices. As for customer access, a second SSID with either web authentication or PSK provides a mechanism for limiting access. Normally most public places go with the web authentication because they can have a mechanism for providing a "Terms of Use" agreement to cover themselves in a legal sense. They leave it to the customer to provide for their own protection of data.