Guest and Public Network Access

Download as PDFDownload as PDF

Version: 4

Issued: July 2016

Reference: GEN-DOC-002 (previously published as PB/INFO/073)

Author: A. Cormack

Last Reviewed Date: 28/7/2016

This factsheet suggests some ways for organisations that wish to provide guest and/or public network access for external visitors to do so. A Jisc Technical Guide gives more details and case studies of implementations.

Janet is the UK's research and education network.  An organisation connected to Janet may at its own discretion make it available to each of its own users, as well as to other individuals visiting the organisation at its invitation and for purposes associated with the organisation's education, research and engagement missions. Examples of the latter include use of Janet by delegates at a conference or similar event (whether or not a fee is charged) held by the organisation under those missions.  They include also use by individuals not formally associated with the organisation but to whom services are being provided under the organisation's missions, such as access to its library or similar resources. Such delegates or individuals are referred to in this factsheet as 'guests' and may be visiting from another organisation with its own Janet connection, or from elsewhere.

Within the overall limits of this userbase, each connected organisation can decide as a matter of local policy what level(s) of access to Janet it provides and to whom. The Janet Security Policy requires organisations to have appropriate measures in place for giving, controlling and accounting for access to Janet. This normally involves each local or guest user having their own unique username and password (see the Jisc factsheet on User Authentication).

Some Janet-connected organisations may in addition wish to provide Internet connections, for a fee or free of charge, to members of the public who are not guests of the organisation (for example members of the public using accommodation or other facilities or simply walking across the campus). In order to protect the reputation and status of Janet as a private network traffic from these users (referred to in this factsheet as public users) must be kept separate from the organisation's normal research and education traffic. Janet must not be used to connect public users directly to the Internet. Subject to conditions set out in the Janet Eligibility Policy and discussed below, an encrypted point-to-point tunnel across Janet may be used to backhaul public user traffic to a partner Internet Access Provider (e.g. a commercial ISP). Alternatively public users may be connected to the Internet by a dedicated network link. In both cases the organisation and its access provider are responsible for compliance with policies and legislation applying to public networks.

Providing Guest Access

The simplest and safest way to provide access for guests from other Janet-connected organisations and equivalents abroad is to join Jisc's eduroam service as a visited organisation. The international eduroam federation provides a link between organisations so that a guest from another eduroam member can use their home organisation username and password to authenticate to a guest network provided by the visited organisation. The guest network must provide access to Janet but need not give any access to local services. By providing an eduroam visitor facility, an organisation knows that visitors who use it are current members, in good standing, of another peer organisation and, because that home organisation is bound by the eduroam policy, that it will take responsibility for its user’s actions (including, if necessary, investigating and punishing any reported misuse of the visitor network facility or Janet).

Where a guest does not come from an eduroam member organisation, a facility for creating temporary local accounts may be required. A number of Janet-connected organisations allow authorised members of staff to assign short-lived accounts to visitors to their departments: these staff members are responsible for ensuring that the guest complies with local and Janet policy requirements. This system relies heavily on the sponsor and their personal knowledge of the guest, since the guarantees provided by eduroam are not available. Many mechanisms can be used to assign such accounts, from an option in an identity management system to pre-prepared sealed envelopes or scratch cards that each contain one visitor username and password.

The Janet Security Policy requirement to control access to Janet means that it is not appropriate simply to provide guests with access to an unauthenticated network port or open wireless network. It is also inadvisable to allow a local user to log the guest on using their own credentials since this is likely to give the guest far more access to local systems and to Janet than was intended. Similarly, if the organisation does not provide a separate segment or VLAN for guests then care will be needed to ensure that guests do not gain unintended access to internal or licensed resources which may trust IP addresses for authorisation.

Providing Public Access

If an organisation wishes to provide Internet access to members of the public who are on its premises other than as guests then this must be done in partnership with an Internet Access Provider such as a commercial ISP. The Janet Eligibility Policy permits the network to be used to backhaul traffic to a partner access provider, but only if users are authenticated - either by the access provider or the organisation -  the traffic is carried across Janet in an encrypted tunnel and the traffic is identified as originating from the access provider - not Janet or the organisation - when it reaches the public Internet. Alternatively the connection between the organisation and the access provider may use a dedicated network link. Janet must not be used to connect public users directly to the Internet.

Public users generally require a wireless network connection. This may be achieved by allowing a commercial ISP to install their own separate equipment on the organisation's premises; or, more usually, the existing wireless LAN infrastructure will be shared with the partner access provider and the network configured to route public traffic to them, either over a dedicated link or an encrypted point-to-point tunnel over Janet.

In a typical shared installation, wireless access points are configured to broadcast at least two different SSIDs (Service Set Identifiers). Guest users connect to the 'eduroam' SSID, are presented with an eduroam login dialogue, and authenticate with their local or eduroam credentials. Their traffic is then routed to Janet. Public users connect to the ‘commercial’ SSID, are invited to enter their subscription or credit card details and are connected to the Internet via the commercial ISP. Each SSID is associated with a VLAN that logically segregates the traffic and routes it to the appropriate upstream connectivity: Janet or commercial ISP.

Organisations considering such partnerships should note that any network that offers Internet access to the public is likely to be classified in law as a public electronic communications service, whereas Janet and the networks of its customers are generally classified as private. Operating a public service is likely to involve more onerous duties, for example:

  • protection of the privacy of users (Regulation of Investigatory Powers Act 2000 and Privacy and Electronic Communications (EC Directive) Regulations 2003)
  • notification of privacy breaches to the Information Commissioner and users (Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011)
  • retention of data about usage for criminal and terrorist investigations (Data Retention and Investigatory Powers Act 2014 as amended), and
  • further obligations on copyright enforcement, botnets and monitoring are being discussed.

It seems likely that these obligations would only apply to those parts of the network that actually carry public traffic, so segregating this traffic either logically or physically should allow the rest of the organisation’s LAN to continue to operate on a private network basis. Organisations should seek individual legal advice on the implications for their own networks.

The privacy-related duties of a public communications service provider are likely to apply to both the organisation and their partner Internet Access Provider. Responsibility for compliance with other laws and policies should be assigned by contract between the organisation and the access provider.