Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

VT Open WiFi

The VT Open WiFi SSID is an open network with no captive portal.

This network should be used by devices that cannot or should not use eduroam. The main reasons for this are:

  • The device cannot do 802.1X authentication (game consoles, Chromecasts, etc).
  • The device belongs to a group (e.g., department) rather than an individual, and thus does not have eduroam credentials.
  • The user is a guest (and has no eduroam IdP)

Authentication

Users can connect and use the network with or without authentication. Only MAC auth is used, so no matter what, the client sees the network as an open unauthenticated network. Auth is handled by FreeRADIUS, with OpenLDAP as a data store.

When any device connects to the open network:

  • The wireless controller sends a RADIUS request with the connecting device’s MAC address as the username and password.
    • The format of the MAC address is configurable in the MAC auth profile on the controller (.mac_auth_profile in the API, aaa authentication mac <profile-name> in the CLI). We use lower-case and colon delimited.
  • If the device is not registered:
    • The RADIUS server returns an Access-Reject
  • If the device is registered as a personal device the RADIUS server returns an Access-Accept with:
    • VSA Aruba/Aruba-User-Role: ur-registered-device
    • User-Name: <PID the device is registered to>
  • If the device is registered as an organizational device, the RADIUS server returns an Access-Accept with:
    • VSA Aruba/Aruba-User-Role: ur-registered-device
    • User-Name: <Org ID>

Any registered device is put in the Authenticated network; all other devices are in the unauthenticated network.

Registration

Devices can be registered in the NIS Portal. Devices can be registered as a personal device or an organizational device.

In either case, when a device is registered, the registration application uses an API call (equivalent to the cli command aaa user delete mac <mac>) to disconnect the device that was just registered. This allows it to reconnect and reauthenticate, putting it in the correct network.