Differences between revisions 90 and 91
Revision 90 as of 2020-09-04 12:36:00
Size: 11170
Editor: davidsch
Comment:
Revision 91 as of 2020-09-04 12:36:46
Size: 11177
Editor: davidsch
Comment:
Deletions are marked like this. Additions are marked like this.
Line 36: Line 36:
A UTP socket which is set to 'docking' detects the MAC address of any connected device and looks it up in a table (NAC table). In this table, every MAC address is assigned to a specific network by a so called 'NAC profile'. If the device's MAC address cannot be found in the NAC table, the port will be set to a default VLAN (network) with restricted access (no internet access without prior authentication). A UTP socket which is set to 'docking' detects the MAC address of any connected device and looks it up in a table (NAC table). In this table, every MAC address is assigned to a specific network by a so called 'NAC profile'. If the device's MAC address cannot be found in the NAC table, the socket will be switched to a default VLAN (network) with restricted access (no internet access without prior authentication).

Contents

  1. Wireless LAN (WLAN/ WiFi)
    1. How to connect to the WLAN
    2. SSID's
    3. SSID notes
  2. Wired LAN
    1. Registering self-managed devices in the ISG network (DHCP resp. NAC entry)
  3. 802.1x authorization for wireless (WLAN) and wired connections
  4. Network debugging
    1. Solutions

Wireless LAN (WLAN/ WiFi)

How to connect to the WLAN

  1. Make sure WLAN is activated on your laptop. Some laptops have dedicated keyboard key (usually with a WiFi symbol printed on it) to switch the WLAN antenna on or off. On other laptops that key does not look like a keyboard key, but more like a status LED; however, often it can be touched to switch WLAN on/ off. On some computers the WLAN module could also have been disabled in the BIOS setup.

  2. Click on the wireless icon on your desktop (in case of Windows computers, it is found in the tray area of the taskbar)
  3. Choose the SSID (to find out which SSID to choose and how to authenticate correctly, have a look at the SSID section below).
  4. Depending on the chosen SSID you might first have to open a webbrowser, then attempt to navigate to an arbitrary website. This will lead you to a landing page on which you will have to authenticate first. After successful authentication, your device is granted access to the ETH network and to the Internet.

  5. For all connections that require authentication, your ETH network password must be entered, not the standard ETH login password. All passwords can be reset on https://passwort.ethz.ch/. Please also note that depending on the chosen SSID, a different syntax for the username/ login field must be used (see SSID's section below).

SSID's

Role

Use SSID(s)

Use Login

ETHZ Students

eduroam, eduroam-5

<username>@student-net.ethz.ch

ETHZ, PSI, CSCS, ... employees (private-owned devices)

eduroam, eduroam-5, eth, eth-5

<username>@staff-net.ethz.ch

ETHZ, PSI, CSCS, ... employees (ETH-owned devices)

eduroam, eduroam-5, eth, eth-5

<username>@staff-net.ethz.ch (or use specific VPZ, see next line)

ETHZ, PSI, CSCS, ... employees (connect to specific VPZ)

eduroam, eduroam-5, eth, eth-5

<username>@<YourOfficeVPZ>.ethz.ch (e.g. <username>@DEPT-staff.ethz.ch)

ETHZ short-time-guests

eth-guest, eth-guest-5

for one-day guests or self-registered guests. no authentication needed, landing page for unlimited internet access. Without prior landing page authentication guest devices may only access the following internet sites: VPN(ipsec), www.sbb.ch, www.flughafen-zuerich.ch, www.zvv.ch. guests who are from another university are advised to use the eduroam SSID instead. short-time guests can use 802.1x only in conjunction with the SSID's eth/ eth-5.

ETHZ long-time-guests

eduroam, eduroam-5, eth, eth-5

<username>@guest-net.ethz.ch

SSID notes

  • For SSID "eduroam-5" please do not use autoconnect; devices should usually and only autoconnect to the "eduroam" SSID (2.5 GHz).

  • The SSID's eduoram/ eduroam-5 should be strictly preferred over eth/ eth-5, as eduoroam will also work on other university campuses worldwide.

  • The SSID's eth/ eth-5 are required instead of eduroam/ eduroam-5 in the following exceptional cases: 1.) for clients that authenticate with host certificates, which is not possible outside of ETH. 2.) for technical accounts or guests, which will not be able to connect outside of ETH. 3.) in buildings where ETH and UZH both have offices and WLAN coverage of both institutions will overlap; using eduroam/ eduroam-5 in these areas means a user cannot predict via which institution's access points his/ her connections will run. If for some reason the user desires his connections be run only via the ETHZ access points, he should only configure the SSID's eth/ eth-5.

  • The SSID's public, public-5 will be deprecated in future and should no longer be used.

Wired LAN

All UTP sockets in the ITET public rooms and offices are set to 'docking'. What does 'docking' mean?

A UTP socket which is set to 'docking' detects the MAC address of any connected device and looks it up in a table (NAC table). In this table, every MAC address is assigned to a specific network by a so called 'NAC profile'. If the device's MAC address cannot be found in the NAC table, the socket will be switched to a default VLAN (network) with restricted access (no internet access without prior authentication).

Generally, all ISG-managed Linux and Windows devices are registered in the NAC table because they need to be in a specific network (VLAN). That applies for instance to all the Tardis workstations in the public student rooms of D-ITET.

Registering self-managed devices in the ISG network (DHCP resp. NAC entry)

For selfmanaged devices, e.g. laptops, NAC table (and DHCP) entries can be made for the following reasons:

  1. The device needs a fixed IP address or a fixed, globally usable, specific hostname FQDN (fully qualified domain name).
  2. The device has to be located in a specific VLAN.

It is also possible to register a device for a 'dynamic IP address'. This makes sense, if you don't need to connect to your device using a specific hostname or a fixed IP address.

If one of the reasons mentioned above applies to your self-managed device, contact ISG.EE (support@ee.ethz.ch).

802.1x authorization for wireless (WLAN) and wired connections

IEEE 802.1x is a network authentication standard used at ETH for wireless and wired connections.

When you connect a selfmanaged laptop, whose MAC address has not been registered by ISG.EE previously, to a UTP socket, you won't be able to access the network, until you have logged in via the ETH landing page displayed in your webbrowser. The is the same that would happen when attempting to connect to the ETH wireless network using the public/ public-5 SSID's. After authenticating on the landing page, you will have full access to the network. Using the 802.1x standard, you may authenticate your device automatically as soon as it is connected to the network, without any need for landing page authentication. The procedure to configure 802.1x authentication varies between operating systems. Have a look at the following articles:

  • Windows7 - How to configure 802.1x authorization with wireless or wired connections for Windows 7

  • Ubuntu - How to configure 802.1x authorization with wireless or wired connections for Ubuntu

  • MacOS - How to configure 802.1x authorization with wireless or wired connections for MacOS

Network debugging

This document addresses D-ITET students. There are a several scenarios why users cannot access ETHZ internet or intranet resources. This section assists you in analyzing the problem.

Reasons why you cannot acccess ETHZ network services might be:

  1. You are outside ETH and have a connection problem: General connection problems.
  2. You are inside ETH with your self-managed device (laptop). You have poor or no connection to the wireless network: General WLAN problems.
  3. You are at home with your self-managed device (laptop). You have poor or no connection to the wireless network: General WLAN problems.
  4. You are inside ETH with your desktop computer and you attempt to use the wired network. You cannot connect; you do not obtain an IP address: General DHCP problems. Keywords below: - General connectivity problems - General WLAN problems - General DHCP problems.

Solutions

1. General connectivity problems

a. Please make sure that everything on your side works:

  • Try to access the Internet. If that fails,
  • Check your cables/ sockets and other network hardware (switches, routers, ...)
  • Check your (Cisco) VPN client if you use it. Disable VPN for testing.

b. If you are able to access the internet:

  • Try to access the ETH and/ or ISG.EE web sites. They should be up almost everytime. If that fails, call the ISG.EE support.
  • Try to access the services you need, e.g. sending email, using svn, receiving e-mail, accessing your home directory. If this fails, call ISG.EE support.

c. Network firewalls as the reason for connectivity problems:

  • If you run a firewall that blocks or rejects traffic
  • If try to use a service from outside ETH that is behind one of the ETH firewalls. The latter might also apply when you use the VPN client software. In that case, even though your computer is connected to a specific ETH subnet, the target computer you attempt to connect to is behind another firewall within the ETH network and thus unreachable. Using the VPN does not mean that you can access truly all network resources at ETH!

2. General WLAN problems @home or @ETH

WLAN @home

The reasons for a poor performance may be:

  • Some other WLAN is interfering. Make sure your WLAN access point does not use the same channel group as the foreign WLAN access point. Reconfigure your channel group. The channel groups are: 1 - 5, 6 - 10, 11 - 13. Avoid channel groups that are occupied by other access points.
  • Incompatiblity (encryption): You use a encryption algorithm that does not properly work with the WLAN access point. Reconfigure the encryption.
  • Loss of signal / weak signal strength:

a. Try to move the WLAN access point to a better place. Measure the signal strength by walking around in your flat with your laptop running the netstumbler software. b. There is something disturbing your signal, e.g. other electrical devices, electrically grounded steel girders, ... c. Distance and signal strength: If your laptop is too far away from the access point you may lose the signal.

  • Hardware failure. Check your hardware whether it generally is compatible and if your hardware is working correctly. Comparing network access with other devices (laptops, smartphones, ...) might help to identify the cause.

In any of these cases there is not much the ISG.EE support can do for you.

WLAN @ETHZ

The reasons for poor performance are basically the same as described in the section (a.) above (WLAN problems @Home). However, ETHZ WLAN should is quite stable and highly available. If you experience WLAN connectivity problems at ETH please request help either from ISG.EE or directly from the central IT deparment (Informatikdienste, ID). The ID is operates the WLAN at ETHZ.

3. General DHCP problems

a. You use Windows or Linux on your computer or notebook. You have ensured that your computer is connected to the wired network by cable, but you notice that you still don't obtain an IP address. The reasons for this problem may be:

  • The network plug in the wall is not configured for the network you should receive an IP address from

  • You have not yet registered your computer with ISG.EE. For registration we need the following information: MAC address, desired hostname (if one is required) and the operating system running on the device.

CategoryNET

Workstations/Network/Infrastructure (last edited 2023-10-16 11:07:38 by alders)