Re: Admission Control to the IETF 78 and IETF 79 Networks

[Phillip Hallam-Baker <hallam@gmail.com>]

Any chance of a link to specs showing how it is done?

Might be something that maybe deserves to see wider use.

On Sat, Jul 24, 2010 at 9:19 AM, IETF Chair <chair@ietf.org> wrote:
> eduroam (education roaming) is the secure, world-wide roaming access
> service developed for the international research and education
> community. eduroam allows students, researchers and staff from
> participating institutions to obtain Internet connectivity across campus
> and when visiting other participating institutions by simply opening
> their laptop. Since we expect a reasonable attendance at IETF from
> eduroam-connected sites, IETF participants with an eduroam account
> configured, should get connected to the wireless network right away with
> their usual credentials.
>
> Enjoy,
> Russ
>
> On 6/30/2010 5:55 PM, IETF Chair wrote:
>> I am writing to let you know about a change in the IETF meeting network.
>> At IETF 79 in Beijing, the IETF network will be connected to the open
>> Internet with absolutely no filtering.  However, we have agreed with our
>> hosts that only IETF meeting participants will have access to the
>> network.  Following sound engineering practices, we will deploy
>> admission control mechanisms as part of the IETF 78 meeting network in
>> Maastricht to ensure that they are working properly before they are
>> mission critical.
>>
>> I am writing to let you know what to expect in both Maastricht and Beijing.
>>
>>
>> ADMISSION CONTROL CREDENTIALS
>>
>> To gain access to the IETF network, you will need to provide a
>> credential. Your primary credential will be your registration ID.  You
>> can find your registration ID on the registration web page, in the
>> response email confirmation you received from the Secretariat, on your
>> payment receipt, and on the back of your IETF meeting badge.  Your
>> Registration ID will be your user name, and it will be used with a
>> password that will be provided at a later date.  This same password will
>> be used by all attendees.
>>
>> We recognize that IETF 78 registration IDs are very easy to guess.  We
>> expect to use less easily guessed registration IDs for IETF 79.
>>
>> If for any reason you are uncomfortable using your Registration ID,
>> there will be a supply of completely anonymous Registration ID/Password
>> pairs on slips of paper available at the help desk and registration
>> desk.  You will be asked to show an IETF meeting badge to ensure that
>> slips are only provided to registered meeting attendees.
>>
>> Each set of credentials will allow up to three separate MAC addresses on
>> the network, allowing attendees to use the same credential for their
>> laptop, phone, or other devices.  The limit is to prevent the leak of a
>> single credential from undermining the entire system.
>>
>>
>> GAINING ACCESS TO THE NETWORK
>>
>> The primary mechanism to gain access to the wireless network will be
>> either the "ietf.1x" or "ietf-a.1x" SSID.  These will be configured with
>> WPA1 and WPA2 Enterprise.  You simply provide your credentials to your
>> supplicant software for authentication to the network.  I personally
>> encourage you to use WPA2 over WPA1 if your software and hardware
>> support both.
>>
>> If your software does not support WPA Enterprise, you can use the
>> captive portal.  To use this portal, associate with either the
>> "ietf-portal" or "ietf-a-portal" SSID.  Upon initial connection,
>> Internet connectivity will be blocked.  Simply open a browser and go to
>> any web site, just like many hotel networks, and you will be redirected
>> to a portal page where you can enter your credentials.  Once the
>> credentials are validated, your MAC address will have unrestricted
>> access to the network for some period of time.  The portal page will
>> also have links to the internal wiki page with helpful information as
>> well as a way to create trouble tickets prior to authentication.
>>
>> If your small devices does not support WPA Enterprise and does not have
>> a browser, then you will be able to visit the help desk and register the
>> device MAC address for access to the network.  If you need to register
>> your device, please know the MAC address of your device before you show
>> up at the help desk.
>>
>>
>> FALLBACK PLAN
>>
>> Implementing this plan at IETF 78 in Maastricht is important, but
>> obviously not without risk.  The IEEE 802.1X-based access mechanisms
>> have been well tested at previous meetings, and this mechanism is not
>> likely to be a source of trouble.  The captive portal, however, is a
>> greater unknown.  Please use the WPA SSIDs if at all possible to reduce
>> the load on the portal machines.  If the portals do experience problems,
>> the NOC team will implement a backup plan.  The backup plan will only be
>> used as a last resort as the backup plan will not be an option at IETF
>> 79 in Beijing.
>>
>>
>> Safe Travel and Best Wishes,
>>   Russ Housley
>>   IETF Chair
>>
>> _______________________________________________
>> Ietf mailing list
>> Ietf@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf
>>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>



-- 
Website: http://hallambaker.com/