Classroom and Lab Computing

Mobile Port Authentication Service

Contents Introduction Why the Name How it Works IdleTImeout Problems Changes

Quick Jump:  Instructions  Login  Logout  Backup Server  Problems Noah encounters strawberries, age 1, in 1997.  Looks like a horror movie, huh? 10 years later he can still get just as messy when he eats.

Introduction

This page is for end-users of the authentication component of the Penn State Mobile Computing Service as described by TNS, or other public ports secured by a KarlNet (now out of business) KarlBridge or KarlRouter or an Extreme Networks Summit or Alpine switch.

You do not need to read this to use the service.  See TNS' instructions.  This page is those who are curious about the authentication part or have problems not addressed elsewhere.

Why it is Called NOAH

The authentication program is called NOAH, a silly acronym for "Network Online Authentication Handler", because:

• I couldn't think of an appropriate name.
• "KarlBridge Authentication Server" is too long and not much fun.
• People only need know the web page URL, not the program name.
• My son, born on 5/23/96, is named Noah.  Isn't that cute?

How it Works

 See also TNS' instructions, and other explanations.

1. You plug your laptop into a public Ethernet port "secured" by a KarlBridge or Extreme Networks switch.
2. Your machine contacts a DHCP server and is assigned and IP address and other network settings.
3. The network device allows packets to and from only certain machines on the network; our secure (SSL-enabled) web servers are two of them.
4. You connect to the Port Login page on our web server, and enter your Access Account userid and password.
5. When you press the button, your userid and password go (encrypted) to the web server and are received by a CGI program called Noah.
6. Noah verifies your password with Kerberos (or DCE if this is after June 2000, or win.psu.edu after 2002, or Kerberos 5 in the dce.psu.edu realm starting in 2006).
7. If your password is ok, Noah looks up in a table what device guards your network.
8. Noah asks the device to let packets to and from your IP address to go anywhere (called a filter bypass on the KarlBridge, and access list rule on the Extreme Network switch), and remembers when you "logged on".
9. Note that you are told what your Idle Timeout is (KarlBridge only).
10. In some locations you are also logged into PALS so you can print.

When you are ready to leave, go to the Port Logout page and press the Logout button.  Noah is launched on the server again.  He looks up when (if) you logged in, tells the network device to remove your filter bypass or access rule, and logs that you have logged off.

Idle Timeout

This applies to KarlBridge only:

If you don't do anything for a while (default, 30 minutes), your machine will be automatically limited to accessing only the login web servers.  That is, your filter bypass is removed.

Your filter bypass is a value, in seconds, stored in the KarlBridge.  It tells the hardware to not filter or restrict packets to or from your IP address.  If there is no traffic at all to or from your machine your bypass or "opening" is closed without notice to you or us.

You will know when this happens because suddenly network applications can't do anything (well, can't do network stuff).

Just go back to the Port Login page and log in again.  It will tell you something about you already being logged in -- that's because your IP address is listed with your userid and you didn't log out.  Noah cannot tell that your filter bypass timed out.

Note that some things you do, for example, connecting to a file system on a Windows server, result in frequent "chattering" between machines even when you aren't doing anything, so you may never see this idle timeout go into effect.

Some locations may have a shorter time-out for security reasons.  The hardware limits the maximum time-out.

For ports behind Extreme Networks switches, when you disconnect your Ethernet cable from the port the switch notifies our server and you are logged out.

Glossary

We don't know how to get away from all the acronyms and computer terms required for a simple document like this.  Sorry, that's the way the computer world is.

Access Account -- a Penn State Access Account userid and password, stored in a Kerberos database.  This account is used to access all central resources at Penn State.

CGI -- Common Gateway Interface -- a method that a program running on a WWW server gets data from an HTML form and sends replies to the user.

DCE -- Distributed Computing Environment -- a big complicated system to do all kinds of stuff no one really wants to do.

DHCP -- Dynamic Host Configuration Protocol -- a method by which a TCP/IP stack can automatically obtain an IP address, netmask, gateway address, and other configuration parameters from a server.

Filter Bypass -- a setting on a KarlBridge that bypasses restrictions of where packets can go.

Kerberos -- a method of authenticating users and securing network transactions. The PSU Kerberos server is of the "MIT Kerberos 5" flavor.

PALS -- Page Accounting and Login Server -- Designed and written by CLC to manage laser printer access (free pages, page limits, etc.) and keep lists of who logged in where and when.

SSL -- Secure Socket Layer -- an encryption and verification used over HTTP (note, URLs will start with HTTPS).

Problems

Not Talking

If there is no answer from https://clc.its.psu.edu you can try the backup server at https://clc1.its.psu.edu.

If you log in via the backup server, please log out via the backup server as well.

If the backup server doesn't respond then something else is wrong.

• If you are on a network managed by TNS, call the TNS Network Management Center at 814-865-4662.
• If you are on another network, please contact your friendly network guru.

Other Problems

What other problems?!  Noah will report weird and unexpected problems by email to the program author and TNS NMC.  We'll describe them here when encountered.

Changes

Changes to the service are listed here.  For details of code changes go here.