VT Open WiFi
The VT Open WiFi SSID is an open network with no captive portal.
This network should be used by devices that cannot or should not use eduroam. The main reasons for this are:
- The device cannot do 802.1X authentication (game consoles, Chromecasts, etc).
- The device belongs to a group (e.g., department) rather than an individual, and thus does not have eduroam credentials.
- The user is a guest (and has no eduroam IdP)
Authentication
Users can connect and use the network with or without authentication. Only MAC auth is used, so no matter what, the client sees the network as an open unauthenticated network. Currently, auth is handled by ClearPass, but will soon be an instance of FreeRADIUS, with OpenLDAP as a data store.
When any device connects to the open network:
- The wireless controller sends a RADIUS request with connecting device's MAC
address as the username and password.
- The format of the MAC address is configurable in the MAC auth profile on
the controller (
.mac_auth_profilein the API,aaa authentication mac <profile-name>in the CLI). Currently, the default of lower-case and no delimiter is used.
- The format of the MAC address is configurable in the MAC auth profile on
the controller (
- If the device is not registered:
- With ClearPass, an Access-Accept with no role is returned (this allows for CoAs to kick a device when it is registered)
- FreeRADIUS will simply return an Access-Reject (device will be kicked with an API call)
- If the device is registered as a personal device the RADIUS server returns
an Access-Accept with:
- VSA Aruba/Aruba-User-Role:
ur-registered-device - User-Name: <PID the device is registered to>
- VSA Aruba/Aruba-User-Role:
- If the device is registered as an organizational device, the RADIUS server
returns an Access-Accept with:
- VSA Aruba/Aruba-User-Role:
ur-registered-device - User-Name: <Org ID>
- VSA Aruba/Aruba-User-Role:
Any registered device is put in the Authenticated network; all other devices are in the unauthenticated network.
Devices can be registered in the NIS Portal. Devices can be registered as a personal device or an organizational device.
Networks
Authenticated
Authenticated devices land in the same network as eduroam users and have no restrictions. Some service owners restrict access to on campus networks, such as this one.
Devices get an RFC 1918 IPv4 address and a globally routed IPv6 address.
Unauthenticated
Unauthenticated devices land in the guest VRF.
Devices get a CG-NAT (100.64.0.0/10) IPv4 address and a globally routed IPv6
address.
This traffic is hair-pinned at the border and is effectively treated as Internet
traffic.
There are no network ACLs artificially limiting access. However, there are services that require being connected to an "on campus" network to use them, which the unauthenticated network is not. Some services that do not work from the unauthenticated network include:
- Zoom rooms
- Digital key access for physical doors