APS Visitor Network Registration
NetReg is an automated network registration system that requires client computers to use the Dynamic Host Configuration Protocol (DHCP) to register their hardware address before they can gain full access to the APS visitor network. Network registration provides user information accounting for each machine that is attached to the visitor network and also quickly scans the computer for common vulnerabilities. This permits networking staff to contact the user of the computer in the event that it appears to be experiencing problems or is using the network inappropriately.
The process begins when a user connects to the visitor network and attempts to web browse:
- For users in all areas at the APS, connect to the "Argonne-guest" wireless service, open a browser and attempt to web browse to any Internet site. The user will be redirected to the NetReg regisrtation page.
When a computer is connected to the visitor network it's DHCP request is checked to determine if it's hardware address is currently registered with the network. If the hardware address is currently registered, the computer receives a fully functional IP address and network information. Otherwise, the computer receives an IP address on a restricted network and is presented with a web page asking the user to read and accept the Argonne Internet Access Policy. After the access policy is accepted, another web page is presented requesting user registration information:
Figure1: Network Registration Internet Access Policy Page
Figure2: Network Registration Visitor Network Registration Page
Before registration, users will be able to get to limited sites for windows, apple and linux updates. If the user fills out the registration information properly and accepts the Internet access policy, the hardware address for this computer will be registered after the network scan completes without finding any vulnerabilities, This scan completes in a few seconds. After the computer reboots, it will have full access to the visitor network.
Visitors will be prompted if they need to send email directly to an off-site server. Most systems do not need this as an option. There are many spambots, viruses and other malware that can exploit a system and use an infected machine to send 1000's of messages from a machine in a very short period if time. Argonne, therefore, will be blocking outgoing traffic on port 25 from the visitor nets to reduce this exposure. For machines that are permanently registered, we will be sending out another email to those users if they require outgoing email access.
The registration process maintains two classes of users. The first class is considered permanent, and is reserved for Argonne-owned or resident user computers and never expires. The second class is for visitors, which will remain active for up to one week by default. When registering, users have the option of selecting a month for the duration of their reservation. Otherwise, visitor registrations are purged every Sunday at 1:00 am. To request a permanent registration fill out a Support Request that includes host name, owner name, location, operating system, manufacturer, hardware address of the machine and whether or not you need SMTP access for outgoing email.
Enhancements have been added recently to the visitor registration process that only requires a user to register once and that registration will be valid anywhere in the lab. A visitor who registers at APS can now take their machine over to the Argonne cafeteria and will already be registered and vice versa.
Users on the visitor networks can also be blocked because of suspicious network activity that could be an indication of a virus or inappropriate activity. When this occurs, the user will be presented with the Argonne Internet Access Policy and Visitor Network Registration web pages. After registering, a web page indicating that they were blocked will appear, and they will not have any network access. The user is directed to call the APS Support Request phone line 630-252-9700 for assistance. This machine will not be permitted on the network until it has been scanned by APS IT staff and verified that is operating appropriately.