








                  CSE Research Wireless Network
                         Guest Accounts


                            ABSTRACT

       This  short  note  describes a tool allowing properly
     authorized individuals to grant temporary  use  of  the
     CSE Research Wireless Network to visiting colleagues or
     dignitaries.  Note that that although we refer  repeat
     edly  to  "wireless" access, network guest accounts are
     now valid on the wired subnet that services the  Gates'
     Commons,  the  sixth  floor  conference  rooms and room
     CSE503.


1.  Introduction

Wireless access to UW networks is generally allowed without ques
tion.   That  is any person with a laptop and a wireless card can
obtain an IP address and browse networks run by UW  C&C.   It  is
only  when  attempting  to go beyond UW network boundaries that a
user is required to prove they are associated with the University
by providing their UWNetID.

In  contrast,  use  of  the  CSE  Research  Wireless Network as a
tramission medium is restricted  to  the  faculty,  students  and
staff  of  the  department.   The primary means of enforcing this
restriction has been a requirement that individuals register  the
MAC  address  of  their  wireless card with the department.  DHCP
requests for IP  addresses  from  unregistered  MAC  address  are
denied.

This  registration policy has made it tedious to accomodate tran
sient non-departmental users with  wireless  networking  require
ments, such as guest lecturers, faculty visitors, outside review
ers and conference participants.  Dealing with  such  individuals
or  groups  required either allowing unrestricted wireless access
to everyone or engaging in a tedious process of discovering, reg
istering and unregistering the MAC addresses of the visitors.

Since  April  2003,  the department has been experimenting with a
adjunct means of authenticating  wireless  users.   This  method,
known  as  NoCat,  is fully described elsewhere.  NoCat's salient
feature is that it allows an individual authenticated  access  to
the CSE wireless network simply by visiting a web page and typing
the password he or she normally uses to log  in  to  departmental
computing  resources.   For  various  reasons, both technical and
administrative, MAC address registration is still encouraged  but
it is no longer required.

2.  Temporary Wireless Network Access

NoCat-style  authentication  can be used to allow visitors tempo
rary network access.  A group of "wireless guest" identities  was
created.   When necessary, a guest identity can be reserved by an
authorized sponsor with the username and sponsor-defined password
given  to  the  visitor(s).   Using  this temporary name/password
association, the visitor is granted wireless  network  access  in
exactly  the  same  manner  as a (MAC-unregistered) member of the
department.

There are, however, significant differences between  a  "wireless
guest" and a full-fledged CSE account holder:

1.  Wireless guests do not have logon privileges for computers or
    network file service.  However, they do have  valid  CSENetID
    credentials  and can view local web pages.  It is also possi
    ble for them to use printers but that involves  appropriately
    configuring their machine for the local environment.

2.  Wireless  guest  access is intended to be temporary, measured
    in days.  Expired guest reservations are actively sought  out
    and disabled when found.

3.  Unlike  a regular user account, guest identities are intended
    to be shared by a group of related individuals.  For example,
    if  three  outside  reviewers of a project proposal were here
    for two days, each of them would use the same guest  identity
    and password.

4.  The  ability to grant wireless guest access has been given to
    all members of  the  groups  fac_cs,  tech_cs  and  offic_cs.
    Guest identities are managed via a web page.

5.  Access  to guest network machines from other machines is sub
    ject to some restrictions described in the following:

    http://www.cs.washington.edu/lab/sw/wireless/noreg_auth.html#subtlediffs


3.  Managing Wireless Guest Identities

Wireless guest identities can be allocated, released or  extended
via:

https://www4.cs.washington.edu/cgi-bin/WFG/wifiguest.cgi

Using  this page to perform operations should be straightforward.
However, the following comments may be helpful:

-   Read closely the first four lines which describe the  entropy
    (character mixture) required for passwords.

-   You must  access the operations web page via the secure HTTPS
    protocol and you must be CSENetID-authenticated.

-   The "user names" of guest identities  are  all  of  the  form
    wifiguest01, wifiguest02, etc.  These cannot be changed.  You
    cannot specify a particular name -- one will be selected  for
    you.

-   There are a limited number of guest identities available.  If
    all of them are in  use  when  you  need  one,  there  is  no
    recourse but to request aid from support@cs.

-   You  cannot  extend or release an identity reserved by anyone
    other than yourself.

-   Reservation and extension periods are given in days,  with  a
    maximum of 7 days.  Extensions are not cumulative -- they are
    based on the time the extension was requested.