Go to the Penn State Home page

Go to the CLC Home page

Go to the ITS Home page
This site uses .Net links. Please use Text Only version for screen readers.  Text Only Printable Version    Secure Server Search CLC:   
   
  CLC Home
  News
  Labs
  Classrooms
  Assistive Technology
  Printing
  Disk Space
  Authentication
  Mobile Ports
  Verify Password
  Lab Admin Support
  Contacts
  About Us
  Search

Authenticated Network Access
How It Works

See also a document written in 1997 about the KarlBridge.

Summary

This page describes how "open" Ethernet ports to which users may attach their laptops or other computers are secured at Penn State.  "Secured" means the user must authenticate with their PSU Access Account before gaining access to the PSU network and the Internet.

Students who live off-campus, or faculty without LAN connections in their office, may occasionally need fast backbone connections.  Users of such ports need to be identified for at least two reasons: (1) security -- they could do something bad on the network; and (2) printing -- in order to charge for printing.

Terminology

DHCP

A DHCP (Dynamic Host Configuration Protocol) is a method for assigning your computer an IP address and other network parameters when the computer is plugged into the Ethernet.  To set this on Windows, you pick "Obtain an IP address automatically" from the TCP/IP properties for the Ethernet connection.

KarlBridge

A KarlBridge from KarlNet -- invented at Ohio State -- is used to filter packets from these public ports. It is setup to allow packets to and from (1) DNS server(s), (2) an authentication server, and (3) a DHCP server. It may also allow ICMP (e.g. Ping) packets through, but nothing else.

This is a small, inexpensive box that can do many things. There are various models. It is configured with a proprietary program that must run on a separate machine. Communication to it is via SNMP (Simple Network Management Protocol). IMHO, there is nothing simple about SNMP.  PSU began using these in 1997 to secure these ports.  Starting in 2004, we are switching to . . .

Extreme Networks Switches

This is a network switch (see their product line) that supports ACLs (Access Control Lists) that are configured to block network access per port until you authenticate.  This is accomplished by setting the ACL on the port the client is connected.

Currently we support only the Summit48si and the Alpine 3800 Series switches.

Authentication Server

This is our web server with programs that verify your Penn State Access Account password and then allow your connection access to the rest of Penn State and the Internet.

How It Works

Hardware Configuration

The KarlBridge and Summit Switch are completely different, but at a high-level view, they are configured to pass only packets for DHCP (so the client can get an IP address), DNS (so the client can look up the IP address of the web servers), and the authentication servers (port 443 to clc.its.psu.edu and clc1.its.psu.edu).

On the KarlBridge this is done by setting a number of firewall filters to pass packets by port and remote IP address.  This device is placed in between the LAN (Local Area Network) and the Router in which connects the LAN to the integrated backbone.  Once authenticated the IP address for that user has full access to the network.  The Extreme Networks switches use various ACL's that are defined to do the same thing; however, unlike the KarlBridge the IP address of the authenticated client is only allowed access to the network from the port they are connected and not the entire LAN.

DHCP

Although these ports are often called "DHCP ports", or the connection may be referred to as a "DHCP connection", the DHCP (Dynamic Host Configuration Protocol) part happens when the computer is plugged in and has nothing much to do with securing the port or providing network access after authentication.  However, the IP address that is assigned by the DHCP service needs to be defined with the authentication service so it knows what device to talk to.

Login

After plugging in the Ethernet adapter, the OS should obtain an address from DHCP and make the internet connection available.  The user can then open a web browser and go to the "login" page.  When their userid and password is verified, the address of the KarlBridge or Extreme Networks switch they are "behind" is determined by looking up their IP address in a database.  That device is then "told" to let them have complete network access.  For a KarlBridge this is done by sending a "filter bypass" command for the client's address.   If the device is an Extreme Networks switch, then the port the user is using is determined first, then an ACL is added for that address allowing traffic through.

Logout

For the KarlBridge the user must open a web browser and go to the "logout" page, log out of the session and then disconnect.  If a user fails to logout before they disconnect someone may be able to hijack the IP address that they were assigned and use it on that LAN, the KarlBridge will remove the filter bypass after a configured amount of time in which that IP address has had no traffic pass through the KarlBridge.

For the Extreme switch the user can go to the "logout" page to logout or can simply unplug their Ethernet connection.  When the port on an Extreme switch senses that the client has physically disconnected it tells another application (a service running an SNMP trap) that the port has a "link down" event; the service will then lookup what address was using that port and remove the ACL for it.

© 2006, The Pennsylvania State University. All rights reserved.
This site maintained by the Classroom and Lab Computing group of Information Technology Services.
Suggestions and comments about this web site: CLC Webmasters; Other contacts here.

This page was last modified: 6/9/2006 11:19:03 AM.