ITAC Notes – December 3, 2009
Location: RENCI Engagement Center (Tel-Com Bldg.)
- Announcements and meeting minutes
- Network authentication and guest access (Bob Johnson, Sanjay Rao)
- Future directions for guest authentication (Paul Horner)
- Redesign of campus NetID authentication screens (Klara Jelinkova, Steve O'Donnell, Shilen Patel)
Meeting Minutes Review and General Announcements
Terry Oas opened by asking ITAC members present at the November 19, 2009 meeting if they had comments on the minutes. Noting no objections, Terry accepted the minutes and stated that they would be posted on the ITAC web site.
(http://www.duke.edu/services/itac/minutes/2009/)
Samantha Earp announced that the following Tuesday and Thursday there would be a demonstration of eLearning related information. She said more information is available at http://elearning.duke.edu. There will also be a Blackboard 9 presentation. She noted it is very different than the current version. Samantha thanked Lynne O’Brien and her staff for their assistance.
Network authentication and guest access - Bob Johnson, Sanjay Rao
Terry introduced Bob Johnson and Sanjay Rao from OIT. Klara Jelinkova introduced Sanjay as an Assistant Director in the Shared Services and Infrastructure group. She said his areas include Identity Management, Network Design, and the Messaging Team. John Board said part of the motivation for this topic and some other agenda items comes from less than ideal experiences with the guest wireless system. He added that the Technology Architecture Group (TAG - http://www.oit.duke.edu/enterprise/tag.php) is also exploring this.
Sanjay described the current implementation. He said there exist two methods for non-Duke affiliates to gain access to network connectivity. Guest connectivity can be provided by contacting the Service Desk or by working through Library public services staff; Tracy Futhey notes the latter process “loops back to” the first Service Desk based process. Guests receive basic authentication access that provides no authorization to other central services.
Sanjay said the guest access credentials are regularly updated and tracked for metrics. The process under discussion here would eliminate the need to use such guest authentication by allowing public guest wireless access on a separate virtual network.
Sanjay noted two primary considerations when implementing a guest wireless network. One is authentication. Authentication is the process that validates the user is who they claim to be. The second concern is policy control. In effect, allowing visitors access to the specific resources they should have access to.
Sanjay described available authentication methods and policy control options and the group discussed their advantages and disadvantages.
Sanjay reviewed a sampling of peer institutions’ varied implementations of guest network access. Bob J. asked if these schools have a public network that gets to the web. Sanjay said these guest users generally will connect to a limited “public” SSID, whereas authorized users may connect to another SSID. Duke’s access points can provide multiple SSIDs.
Klara clarified that the access shown in Sanjay’s presentation as “web” did not necessarily mean exclusive restrictions to port 80. She added that some schools place terms and conditions prior to granting web access, but the actual usage may be quite open. Terry asked if anyone restricted the VPN use on their public network. Sanjay added that it would depend on the type of VPN solution implemented at the institution. Rafael said the use of VPN access would be dependent on the port that the user is able to connect through.
Klara said OIT would like to consider a new approach to accessing the Duke network that simplifies access while ensuring appropriate policy control are in place for Duke guests. She added that OIT was interested in having that conversation because it would lead to a better customer experience. Tracy said users currently may have guest access, but there is a secondary machine registration process that users need to go through.
Klara said the process for Duke guests to gain access is not obvious to the people it is designed for, visitors. Bob agreed, adding that today’s process is cumbersome. He added that the Duke network now allows for differentiation of networks and can treat them accordingly-such as restriction to certain resources. Duke is in a position to take advantage of this capability, he said.
Sanjay touched on some longer-term plans. He noted that Active Directory (WIN.DUKE.EDU) and NetID synchronization is complete. He added that unified network access to campus and DHTS resources are part of a longer strategy.
John B. said Duke now has the ability to have access points (APs) display multiple SSIDs that have different types of access. Bob said the goal is to be able to offer layered resources and further protect operational resources.
Bob asked how guest access worked within the Health System. Rafael said users must agree to an Acceptable Use Policy (AUP). The biggest initial challenge was that access was only open to the web; however, customers wanted VPN access to remote sites. He added that they advertised the service through waiting areas and patient visible areas. Tracy asked if there were any major issues. Rafael said there had not been.
A discussion ensued about some operational questions around the DUHS wireless environment and the current state of some SSL certificates.
Tracy asked if there was a specific proposal or recommendation from the presenters on where the appropriate service-restriction balance might be. Bob said they sought ITAC’s level of acceptance for moving forward with a prototype. What types of access might be of interest to this group? Rafael said an issue is the difference between basic network access as opposed to offering services. John Board said he liked the Open Access model with restrictions similar to the Health System. Rafael said this would facilitate network access but restrict access to services.
Molly said the Library’s usage needs should be considered. She said the Library’s approach has been to offer network and service access in a public way. Terry asked if a user of the Duke Library would be considered a member of the Duke community while they access those services. Molly said they would be. Rafael said that would not be the case for the Medical Library. Robert Wolpert noted a member of the public could come into the Library and read a book or periodical from the shelf. Molly said the Library has embraced that approach and applied it to its technology service offerings.
Molly added that another concern is who has physical access to a building. Klara said OIT can work with the Library to the meet its network needs. This case should not necessarily direct how wireless services are deployed and offered more broadly, she said. John B. said the issue for the Library is an authentication issue. Molly said one possible solution would be to have a network exclusively for the Library that allows them access to those services. Terry asked if that was technically feasible. Bob said it was.
Tracy asked if other members had ideas about how this might be deployed.
Dan Cantrell said bandwidth restrictions should be reasonable.
David Richardson said they had a workshop last year that was very successful using the Link (http://link.duke.edu). These customers used guest access and got great support from the Help Desk. He said in some cases customers had to VPN into their home environments and transfer large files. Dan C. said the Law School had some issues with wireless congestion. He suggested a QoS solution to give Duke traffic preference. Klara said special use cases could allow for different technical solutions. She said a proposed model would be to have open access as the ground floor model with the ability to provide additional capabilities as the use case warrants.
Susan Gerbeth-Jones asked if the network could be re-configured rather than the client side, in effect, changing the network for the duration of a conference. Klara said this was technically possible.
Dave R. said there should be a balance for what needed to be in place most of the time.
Tracy said she heard members expressing general support. Alvy Lebeck asked about the use cases OIT has seen so far. He asked if there might be use cases that OIT does not know about since the model is setup in one way now.
Bob said they will come back next year to show a possible mockup.
Future directions for guest authentication - Paul Horner
Paul Horner discussed findings on guest authentication over time, categorized by subnet. He noted the Library accounts for approximately 50% of usage over the sample period, and that general wireless access accounts for about a third.
A conversation ensued over what defines a “guest,” whether access control is best centralized or decentralized, the differentiation between members of the public and invited guests to Duke, and the role of broader access to sponsored affiliate identities. The discussion also touched on the accuracy of the current metrics.
Paul said the Help Desk had approximately 100 calls about guest authentication over the sample period. Tracy said these data demonstrate the need to move to a more straightforward approach to the guest network. Tracy asked to have a proposal at the next ITAC meeting with a prototype within a week of that. Klara said Sanjay would be ready to do that in January.
Robert Wolpert said the obvious thing to do is try it out and see. Alvy said the layered approach gives more access. John B. said the question was whether there were more needs than guest access and “full-blown affiliates”. Molly and Klara said this should not impact the special case they are working on.
Redesign of campus NetID authentication screens - Klara Jelinkova, Steve O'Donnell, Shilen Patel
Klara said Steve O’Donnell and Shilen Patel worked on the new NetID authentication screens along with others. Klara said the overall concept is that Shibboleth (http://shibboleth.internet2.edu/(link is external) ) is actually two things: Identity Provider (IP - “who you are”) and Service Provider (SP -“the service you are trying to access”). Both of these are configurable. OIT is proposing reconfiguring the SPs to provide more information about their services. The SP templates can be service specific to allow for service branding and announcements.
Klara showed the current Shibboleth authentication screen. Klara then showed the proposed new screen. She said the template would be common to all services. This template would have a lot more service context-sensitive information. Tracy noted that the reason a given service was shown in the example was that that service was the one the customer was authenticating to.
Klara added that service specific information and alerts could be displayed on the screen. In addition, broadly impacting service information could be pushed to the IP so that it would be shown regardless of service.
Rafael said this solution would not replace Single Sign On. Customers would not have to repeatedly authenticate into Shibboleth for every service that they want to log onto once they have successfully authenticated. Klara said this was the rationale for putting broad outage information into the IP so customers would be made aware of it regardless of their specific service request.
Klara said this solution would also allow for the multi-factor authentication. Steve O. has been working on how to communicate this.
Klara said this will require a fair amount of communication so users would not think they were being hacked. There will be a story in Duke Today (http://www.duke.edu/today/). After that, OIT would deploy a modified “webauth” page with more information introducing this to customers. Klara asked for feedback.
Robert W. said the page had a great deal of information. He said it might be a good idea to have more limited, targeted information. In addition, Robert said it is a good idea to show that this is Shibboleth to show that it interacts well with other groups outside of Duke. Samantha Earp said graphically representing that rather than text would be better. Klara said sharpening the message is a good idea. John B. suggested having the information show up in rotation to both minimize the amount of content on the screen, and to keep the content fresh.
Dave R. said there is a balance between showing a lot of stuff all the time and different stuff all the time. There is a risk of noise. He suggested making available a lot of content that users can access, but not necessarily always displaying information on the landing page. He suggested tabs might be a way to accomplish this.
Alvy said when users go to authenticate, they are already going to a service they are familiar with.
Terry said the feedback is to allow service providers to give custom information on that page. He said the feedback is to advise service providers to keep their messages concise.
End of semester reception