Dyport

Basics

"Dyport" defines the dynamic port assignment to data network ports in the offices of TU Dresden employees. A defined VLAN can be assigned to the data network port depending on the connected device (MAC Authentication Bypass) or the user credentials/user certificate entered on a device (802.1X - primarily used by administrators).
Normally, the IT administrator of the organizational unit manages the Dyport accesses for the employees. However, there are also organizational units where employees can register their IT hardware (laptop, PC) in Dyport themselves.

Dyport is available in all parts of the building supplied with VoIP.

The connections (data network ports) are mostly designed as double data sockets. The left-hand connection is always activated. The right-hand connections are only partially usable.
A computer or a VoIP telephone with a computer behind it can be connected to a data network port. A computer may only send with one MAC address. If more than one MAC address is detected on a port, it is automatically deactivated for one hour.
If virtual machines are to be used on the computer, they must be operated with NAT (not bridge). Own switches are not permitted on the ports.

There is a web portal for Dyport:

•   https://dyport.zih.tu-dresden.de
  • Overview" tab
    Lists computers that have been registered via the logged-in ZIH user name.
  • Add device" tab
    The resources displayed under point 03. can be selected via the"VLAN:" pop-up field.
    The hardware MAC address of the device to be registered must be entered in the"MAC address:" field.
    You can select the"Expiry date" and"Comment" yourself.
  • Resources" tab
    List of all usable resources (VLANs and VPN) of the logged-in user name
    In case of doubt, you can obtain information about which VLAN is available in which building from your network administrator.
  • Help" tab
    Help on Dyport for users and admins

MAC Authentication Bypass (MAB)

The MAC address of the computer is used to carry out the network assignment when the network connection is activated. The MAC address must be known in the Dyport portal. Each MAC can only be entered once. The network assignment can be changed in the Dyport portal.
If the requested VLAN is not available at the location, the Dyport system selects a fallback network, if available. The building, facility, network type and connection are taken into account.
Unknown devices are assigned a guest network if the connections are located in places that are not accessible to the public. A network connection should not be possible for unregistered devices at publicly accessible locations.

Determining the MAC address of a computer

• Windows:
  Open a cmd window
  Enter"ipconfig /all"
  Under "Ethernet adapter Ethernet:"
  you will find

  Physical address . . . . . . . . : aa-bb-cc-dd-ee-ff

• Linux:
  In an X terminal, enter
  dmesg | grep eth0
  it may say"enpXXXXX: renamed from eth0", then search for enpXXXXX instead of eth0 (otherwise for eth0):
  ifconfig -a
  eth0 Link encap:Ethernet HWaddr aa:bb:cc:dd:ee:ff
  or
  enpXXXXX Link encap:Ethernet HWaddr aa:bb:cc:dd:ee:ff

• MacOSX:
  "System Preferences" --> "Network" -->
  Click on the Ethernet device in the left column, then click on "Advanced" on the right --> under the "Hardware" tab you will find the
  MAC Address: aa:bb:cc:dd:ee:ff

Registering a MAC address for Dyport

• Log in to the website https://dyport.zih.tu-dresden.de
• Click on the"Add device" tab
• Under"VLAN:", select the resource to which the MAC address is to be assigned (if necessary, ask your IT administrator which one this is)
• Under"MAC address:", enter the MAC address determined for the Ethernet port of your device (to determine the MAC address, see above)
• If necessary, select an"Expiry date:" and enter notes on the description of the device under"Comment:".
• Click on"Submit:"
  After approx. half an hour, your device will be registered in the Dyport via the MAC address and it will then receive the correct network access

802.1X

802.1X is used for secure authentication on the network. The desired VLAN name and a valid authentication with e.g. user name/password must be transmitted from the PC with a supplicant. Here is the necessary information for the supplicant:

• Authentication: Tunneled TLS (TTLS)
• External identity: zih-login@vlan-name
• Certificate: Link
• inner legitimization: PAP
• inner identity: zih-login@vlan-name

Convenient network managers are available for this under Linux.
The supplicant included in Windows does not have a user interface for switching between different networks.
Anyconnect, which is recommended for VPN, can be extended with the NAM module to provide a convenient user interface. The network assignment can be changed at any time in the supplicant's user interface. If the requested VLAN is not available at the location, no alternative network connection is established. An existing VLAN must be selected for a connection to an available network. To use the automatic fallback function of the MAB, a profile without network authentication in the supplicant's user interface and an entry in the Dyport portal are required.

Guest network

The "guest network" is the network to which a computer not registered in dyport is connected to Ethernet ports in closed rooms (fallback). The guest computer receives a private IP address, which is translated to a routed IP address to reach the Internet (NAT = Network Address Translation). Access to the Internet is also restricted. The following is a list of the activations for the guest network:

All other connections are not allowed.