Answers mixed inline below.
Jon Finke - Senior Systems Programmer - CMT - RPI
518 276 8185 (voice) - 518 276 2809 (fax) - http://www.rpi.edu/~finkej
From: Tom Barton [mailto:[log in to unmask]]
Sent: Tuesday, June 13, 2006 6:13 PM
To: [log in to unmask]
Subject: [IDM] guest IDs
I suspect that most every campus offers at least one or two online
services that they wish or need to make available to people who do not
already have a campus netID or who may not even be eligible for one.
Many campuses have developed home-grown guest ID management systems to
deal with this circumstance. I'm curious about some of the design
choices campuses have made, and whether your guest ID management system
adequately meets current and near-term needs.
1. Are guest IDs managed together with campus netIDs or are they
We have our traditional guest accounts (Unix and Windows log in, email,
printing, AFS disk space, web space, etc) - TGA, and we recently added
Wireless Only access accounts - WOA. All are in the same LDAP and Kerb5
authentication realms. The WOA do not appear in the windows domain.
2. Do you use a single type of guest ID for all online guest access
We recently added the Wireless only access accounts. In the past, we
also had Alumni accounts with restricted access - but very much like
3. Do you get rid of stale guest IDs?
The WOA get an automatic password reset after 3-48 hours. We are in the
process of tying the TGA into our ID card guest management system -
where all entries have an expiration date.
4. How widely distributed is the authority & ability to create & assign
TGA - departmental reps send paper form to computer center with sponsor,
budget and expiration info. Longer term they will be able to piggyback
on the ID Card request process.
WOA - departmental reps can use a web tool to get WOA passwords (and
renew them for up to 48 hours at a time.)
5. Do you care whether the same physical guest person receives the same
guest ID each time they are assigned one? Similarly, do you care about
somehow linking guest ID with netID when a guest person becomes a bona
fide member of the campus community?
TGA - if properly identified initially, they will get the same account
back. If they join the community, we can "convert" a guest account to a
regular account. This is bookkeeping change - mostly billing
WOA - Once a department uses one, it "belongs" to that department, but
we don't care if a returning person gets the same one or not.
6. Are most guest-accessible services protected by popular web server
technologies like apache and IIS, or are there substantial use cases
involving guests authenticating in other circumstances?
TGA - most services are available - some software licensing and library
services are not available. Services have to be somewhat aware of who
they are serving.
WOA - just allow VPN, Wireless and dialup access.
7. How much of a problem is managing guest access?
TGA - we are just starting to clean up 15 years of guest accounts -
mostly by linking them to the ID card system (where we are just cleaning
up only 5 years of cruft - but that project is much further along).
WOA - the management is fully automatic.
I am much obliged for your time in responding to these questions!
Senior Director for Integration
Networking Services and Information Technologies
University of Chicago
+1 773 834 1700 (office)
Teach CanIt if this mail (ID 4027036) is spam:
Not spam: http://respite.rpi.edu/b.php?c=n&i=4027036&m=866a3de657db
Forget vote: http://respite.rpi.edu/b.php?c=f&i=4027036&m=866a3de657db