Click to return to CIT home page

Posted: 20 April 2007

Network Authentication Now Required for Computers Accessing the College Network

Network Authentication Process:

Starting Tuesday, 24 April 2007, at 0730, all Oberlin College network users will be required to authenticate to the network prior to gaining access. This will be the case for faculty, staff, students, and guests. Network Authentication is necessary in order to meet the College's requirements under CALEA, the Communications Assistance for Law Enforcement Act of 1994. (See details on this in the online CIT Newsletter.) Note: This does not affect Oberlin Cable Co-op users.

Faculty, Staff and Students will need to authenticate every 28 days, starting 24 April 2007.

To authenticate to the network, you must do the following:

• login to your computer, if a login is required
• open a web browser (Firefox, Safari, Internet Explorer, etc.)
• follow the online instructions by entering your ObieID (e-mail) account username and password

Once you have authenticated, you will be able to access network resources as usual. The system will first scan your computer for viruses and updated operating system patches. If problems are found, you will be directed to online resources for downloading the applicable patches, etc. Once this is done, after 20 minutes had transpired, you can open a web page and attempt to re-authenticate. If you experience problems or have questions, contact the CIT Help Desk at x58197, or cit@oberlin.edu.

Fac/Staff Windows Users:

Faculty and staff Windows users should be able to login to their computers as usual. If you cannot login, you will just need to select Workstation Only and then open up a web browser and follow the instructions.

Guests:

Guests will be assigned a Sponsored Account (see details below) and will be required to login with that account and authenticate as described above. This will be the case for Oberlin Inn guests, as well as visiting faculty, visiting administrators, conference attendees, parents, and others sponsored by Oberlin College personnel.

Lab and Library Computers:

Most lab computers will not require authentication by any individual. Logins are currently required for all Windows lab computers (maintained by CIT) and will be required on all CIT-maintained Macintosh computers by the start of the Fall 2007 semester.

Library Windows computers can currently be accessed by using the account "guest". This will remain effective until the Academic Commons is completed. When that occurs, expected at the start of the Fall 2007 semester, those computers (both Mac and Windows) will all require logins and guests will then need to register and be assigned a Sponsored Account in order to gain access.

Exempted Systems: The following systems will not require authentication by an individual, since their authorization for network access is controlled by other mechanisms:

• Servers (CIT-maintained and others identified by CIT)
• Networked Printers
• Print Release Stations
• Residential energy-monitoring devices
• Security Cameras
• Card-swipe systems
• Facilities network-attached systems: HVAC, FARS
• Security Systems: dispatcher, ARMS, FARS, HVAC, Reports system
• Network-attached UPS equipment - maintained by CIT
• Network-attached A/V Projectors
• Network-attached instruments
• Stand-Alone File Servers (e.g., NAS devices)
• NAT boxes
• Wireless Access Points
• CIT-maintained Lab computers

Exempted System Request: If you believe you have need for a computer to be exempted from the authentication process, please send the following information to cit@oberlin.edu:

• your username
• your first and last names
• your e-mail address (e.g., jane.doe@oberlin.edu)
• the MAC (Ethernet or hardware) address of the computer to be exempted
• The IP address of the computer to be exempted
• a brief description of the device, including the type of device
• the reason for the exemption (e.g., this is a server, a public-use lab computer, etc.)

Network Authentication FAQs

1. Question: After authentication, I see a page with a Logout button. What is this? Should I click on it?

   Answer: The Logout button is mainly for use by CIT staff. This will deauthenticate the computer from network access. Routine users should NOT click on this.

2. Question: When using a Macintosh with OS-X version 10.3.9 and Safari version1.3.2 (and perhaps other versions), the web page loops continuously.

   Answer: Emptying the cache will clear this problem.  Launch Safari then pull down the Safari menu, select Empty Cache, then click on the Empty Cache button.

3. Question: Every time I try to authenticate, I just get sent back to the authentication page again.  Is there something that can be done?

   Answer: Are you using a computer with Macintosh OS-X version 10.3.9, and using Safari?  If so, see answer to no. 2 above. Alternatively, you may download Firefox and use this browser to authenticate instead of Safari.

4. Question: Why did I have to authenticate twice? I'm using Windows XP.

   Answer:  This may be due to a wired and wireless connection on a laptop.  You should disable the interface that is not being used.

5. Question: After authenticating, I received with a successful login page.  When that page was closed, I could no longer access my applications and had to reauthenticate and leave the page open to use the applications.  What's happening?

   Answer: You likely clicked on the Logout button.  The Logout button is used to deauthenticate a system.  If you do click the Logout button, you must relaunch a web browser and reauthenticate.

6. Question: What is my ObieID?  Is that my e-mail address?

   Answer:   Your ObieID is your e-mail username - usually this is your first initial and last name, up to 8 characters.  It is not your e-mail address, but it has the same password as your e-mail account.  For example, Bea Happy’s ObieID is “bhappy” and her e-mail address is Bea.Happy@oberlin.edu.

7. Question: Can a user authenticate on different machines?

   Answer: Yes.  A user can authenticate multiple devices.

8. Question: I have a guest on campus.  How does that person authenticate?

   Answer:  You can create an account for your guest to use.  Please see the information on Sponsored Accounts below, and (for more detailed info) on our website at http://www.oberlin.edu/cit/sponsoredaccts/default.html

9. Question: I'm at home.  Cable Co-op is my provider.  When I open my browser I don't get any online instruction.  How do I authenticate so I can access PRESTO from home?

   Answer: This is only something you'll need to do when you're on campus and not in a building served by the Cable Co-op.

10. Question:  Is this going to affect our servers?

    Answer: Servers need to be exempted.  Please send e-mail to cit@oberlin.edu with the information requested above under Exempted System Request.

11. Question:  My printer was working yesterday (Monday, April 23, 2007), but it is not working today.

    Answer: If a printer is connected to the campus data network, then it needs to be exempted from network authentication.  Please send e-mail to cit@oberlin.edu with the information requested above under Exempted System Request.

12. Question: I was not required to authenticate my computer this morning. What do I do now?

    Answer: Please send e-mail to cit@oberlin.edu with the information defined above under Exempted System Request.

13. Question:  Will this process of Network Authentication be required again?  If so, how often?

    Answer:  Network authentication will occur every 28 days (every 4th Tuesday) unless some extenuating circumstance necessitates additional authentication(s). For example, an unusual computer virus outbreak occurs, requiring an immediate virus scan of systems connecting to the campus network.  CIT will make an announcement if an exception is needed.

14. Question:  Will everyone reauthenticate at once or will it be on different days for different people?

    Answer: One nice thing about the re-authentication on a regular basis is that everyone will re-authenticate on the same day regardless of when they last reauthenticated. For example: a new faculty member receives a new computer and authenticates. Two days later, the regular 28-day network authentication process occurs. That faculty member will then have to reauthenticate, along with everyone else.

15. Question:  Will there be an e-mail to remind us to reauthenticate?

    Answer:  We do not believe this will be necessary, since people should soon becomes used to authenticating every 28 days. We will post the information on the CIT website and on On-Campus news.  

16. Question:  How will this affect public-use computers in the libraries?

    Answer:  See answer above under Lab and Library Computers.

17. Question:  How will this affect Macintosh computers in public labs?

    Answer:  This is a different type of authentication.  Regardless, Macintosh computers in public-use facilities will be reconfigured during the summer to require authentication (a login).

18. Question:  How will this affect Windows computers in public labs?

    Answer:  This is a different type of authentication.  Windows computers in public labs are already configured to require authentication.

19. Question: There is a computer in my office used by multiple people. How should this be handled?

    Answer: The first person to use the computer will provide the authentication. Follow-on users will not be prompted to authenticate, unless 28 days have passed, when reauthentication will be required for all users. At that time, again, the next person to use the computer should authenticate. Note that the computer will be assigned the "role" of the person who authenticates. For example, if a staff person authenticates, the role will be a staff role; if a student authenticates, the role will be a student role. If this creates any impact, you can change roles by deauthenticating and then letting the person with the required role authenticate. To deauthenticate (for admin/academic building users, i.e., most faculty and staff), go to the authentication web page, re-enter your ObieID account name and password, click Agree and then click on the Logout button. (Note: North Campus Resnet users desiring to deauthenticate should click here; South Campus Resnet users should click here.)

20. Question: Does this process apply only to computers using DHCP as the mechanism to obtain an IP address, or does it also apply to computers not using DHCP?

    Answer: The network authenticaton process applies to all devices (unless exempted), whether they use DHCP or not. (Note: All devices SHOULD be set to use DHCP, regardless whether the IP is dynamic or more definitively- assigned.)

21. Question: I log into multiple computers at once in a faculty member's research lab. Should I use my personal ObieID to authenticate each computer, or is there some lab authentication mechanism

Answer: The answer pertains to the type of lab. For public-use facilities, CIT provides alternate arrangements. Research lab computers should each be authenticated by the lab owner (faculty member, lab assistant, etc.). Systems connected to loggers or other instruments should be exempted and the responsible individual should send the info delineated in the Exempted Systems Request section above to cit@oberlin.edu.

Sponsored Accounts:

In order to allow visiting, non-Oberlin College personnel the ability to access the College network, and still be compliant with the requirements of CALEA, guest network users will also be required to authenticate. In order to authenticate, they must have an assigned account. Thus, we have developed the process of creating "Sponsored Accounts".

Sponsored Accounts are accounts that can be created ("sponsored") by any Oberlin College account holder (faculty, staff, or student) for guest users. The account will have restricted privileges, essentially allowing Internet access only. Oberlin College account holders can sponsor up to six accounts, with each sponsored account remaining effective for a maximum of five days. Some account holders will be able to create sponsored accounts with larger allocations, such as Oberlin Inn personnel, Library staff, and Conference Services staff. If you believe you need this capability, please send a message to cit@oberlin.edu, describing your requirements.

Oberlin College account holders - faculty, staff, and students - will authenticate via a secure web page and then will have the ability to see their existing sponsored accounts, as well as create and delete accounts. Accounts for the guest will be generated automatically. The sponsor will be responsible for the activity on the Sponsored Account, ensuring compliance with the College's "Policy for the Acceptable Use of Information Technology Resources".

Complete details on Sponsored Accounts are available online at: http://www.oberlin.edu/cit/sponsoredaccts

Sponsored Accounts FAQs:

1. Question: Some temporary employees, and others such as Shansi Visiting Scholars, are not given ObieIDs. What do they do?

   Answer:  If the person is just here for a few days, then a regular Oberlin College account holder (faculty, staff or student) can create a Sponsored Account.  If the person will be here much longer (e.g., all semester), you should contact the CIT Help Desk to request an updated allocation. To do so, send an e-mail to cit@oberlin.edu indicating the following: your contact information (e-mail address), the ObieID of the Sponsored Account, and the requested expiration date.

2. Question: I created a Sponsored Account, but I need it to last for more than 5 days. What can I do?

   Answer: If this is a one-time need, then send an e-mail request to cit@oberlin.edu, providing the information denoted in no. 1 above.