Virginia Tech® home

VT Open WiFi - Technical Information

Summary
The Division of Information Technology (DoIT) will transition current guest WiFi access from a captive portal (known as VirginiaTech) to a restricted open WiFi network on July 8, 2024. The new service network name (SSID) is VT Open WiFi. This cost-neutral transition will be implemented in all Network Infrastructure and Services (NI&S) WiFi service locations. This change will streamline access to online resources and enhance the overall guest user experience. VT Open WiFi is intended for the following use cases:

  • University visitors and guests, meaning anyone unaffiliated with the university wanting to access the internet.
  • Virginia Tech students, employees, or other affiliates with commodity Internet of Things (IoT) devices that do not support the 802.1X network authentication protocol required for eduroam connectivity. 
     

VT Open WiFi will be isolated from the rest of the VT’s networks, just like the current guest SSID VirginiaTech. All VT Open WiFi device traffic will appear as originating from outside the campus network border. These devices must pass the border access controls and have no access to privately addressed systems. 

Why is Virginia Tech Doing This?
The university’s current guest WiFi service uses a web-based captive portal requiring guest credentials. Currently, visitors to Virginia Tech must complete a five-step process to gain network access, frequently resulting in a failed or frustrating experience.

Factors that further motivate this change in service strategy include: 

  • Browser and user system security protocols and technologies, which create issues with captive portals,
  • Known locations on our campuses and sites with congested, reduced, or no signal, hindering the receipt of required credentials, 
  • Lack of access to local cellular providers for international visitors, and
  • The inability of many commodity IoT devices to use eduroam, creates a need for registration of device MAC addresses in a separate web portal. This is a challenging process for less technical users, often resulting in 4Help support requests.   
     

Solution
The Division of Information Technology (DoIT) will offer an open WiFi network in July 2024. The open WiFi network VT Open WiFi will not present a captive portal and will not require any user credentials. Guests may instantly connect and have full access to the internet with limited access to VT resources. All devices in the open network will be considered off-campus in the network topology and subjected to the same border restrictions as off-campus sources. 

With restricted open WiFi, commodity IoT devices (gaming systems, streaming media devices, etc.) that cannot utilize eduroam can connect to VT Open WiFi without registering their device’s MAC address. The current departmental and personal device registration service will remain for students, faculty, staff, or VT- sponsored users whose devices need to access restricted VT resources. Continued support for the device registration service will be reevaluated in the future based on user demand.

DoIT will continue to comply with state law, federal law, and university policy. Using host-based access controls, Virginia Tech application administrators will have the ability to limit access to their services from the restricted open network, as defined by their security posture/strategy. Applications using private IPv4 addressing (172.16-31.x.y and 10 net) will be inaccessible from the open guest network. This is equivalent to how these applications are inaccessible from the internet.

DoIT will be able to identify devices on the network and deny access to any device, if warranted, due to violations of applicable laws, regulations, and university policies.

What about eduroam? 
eduroam will continue to be the primary WiFi service for all Virginia Tech students, faculty, staff, and VT-sponsored users devices that support the IEEE 802.1x authentication standard. These devices typically include laptops, smartphones, and tablets. Other devices that do not support the IEEE 802.1x authentication standard should connect to VT Open WiFi, including most commodity IoT devices such as gaming consoles, smart TVs, streaming media devices (Roku, AppleTV, Amazon Fire Sticks), and smart speakers.

What’s happening to the current VirginiaTech SSID?
The VirginiaTech SSID will be decommissioned shortly after VT Open WiFi is deployed to provide ample opportunity for users to transition their devices to VT Open WiFi. The decommissioning of VirginiaTech will occur on July 19, 2024. The current WiFi service for sponsored and non-sponsored guests will be decommissioned with this change.

What will happen to devices connected to VirginiaTech when VT Open WiFi is deployed?  
VirginiaTech will remain operational until July 19, 2024. This will provide two weeks for device owners to transition to the new VT Open WiFi SSID. Most devices do not need to communicate with any Virginia Tech resources, so they will be eligible to connect to VT Open WiFi without registering their MAC addresses.

Will VT Open WiFi have a cost? 
There is no direct cost to end users of this service. This service is provided as an amenity and convenience to university visitors as well as faculty, staff, and students. The service is centrally funded.

New IP allocations 
All VT Open WiFi traffic will be sourced from the following blocks of IP addresses:

  • IPv4: current 172.25.0.0/16 new 100.64.0.0/10
  • IPv6: no change → remains 2607:b400:0a00::/40

The IPv4 addresses are not globally routable. All traffic to the internet will be NAT’d just like all current wireless traffic. Traffic to/from allowed on-campus destinations will not be NAT’d.

Why should VT students, faculty, staff, and sponsored users continue using eduroam?  
We aim to improve service delivery and user experience by streamlining access to online resources for university guests, residents, and employees. We understand that most members of the university community will be able to function on the VT Open WiFi service. However, eduroam is preferred for the following reasons:

  • eduroam is available at 3300 locations worldwide, keeping you connected while you roam.
  • eduroam ensures continued access to academic and administrative services. This may not be the case with VT Open WiFi.
  • Students, faculty, staff, and sponsored users using VT Open WiFi that open trouble tickets with 4Help will be instructed to move to eduroam as a first step in the troubleshooting process.
  • Individual access to VT Open WiFi may be suspended or terminated at any time at the university’s sole discretion without notification and without remediation.

Device Registration Service
NI&S within the Division of Information Technology will continue providing personal and organizational device registration services (MAC registration). This allows devices to appear internal from a network topology perspective. All registered devices will be assigned IP addresses from the same network as eduroam users. The device registration services will be assessed in the future to determine if they are still providing value to VT or if the VT Open WiFi service will meet the need on its own. 

Domain Name System (DNS) 
All clients connected to VT Open WiFi will receive DHCP leases configured to use the VT DNS Firewall (RPZ DNS) servers. This means that guests will not be able to access TikTok and WeChat.

Restricted Network 
All unregistered devices using VT Open WiFi will be placed in the restricted network. This network will have full access to the internet (including cloud-based VT services) and restricted access to VT on-premise services and applications. The restrictions include:

  • Inbound/outbound campus border blocks (SSH, SMTP, RDP),
  • No access to applications using private IPv4 addressing (172.16-31.x.y and 10 net), and

IP restrictions on campus applications and servers. Server administrators may deny access to their servers/services according to their security posture/strategy. This is implemented outside of NI&S knowledge. NI&S will have no knowledge of which applications are reachable or not.

Will VT Open WiFi have any usage limits or constraints?
NI&S will not apply any bandwidth rate limits, device connection timeouts, or limit the number of devices allowed on VT Open WiFi.

Compromised Accounts 
A compromised user will be denied access to eduroam and VPN. Any active connections will be terminated. They may regain access via the VT Open WiFi service. This provides a more effective way for the user to contact 4Help for remediation steps. 

Abuse Incidents 
Under the direction of the IT Security Office (ITSO), NI&S will have the ability to deny access to a device on VT Open WiFi based on the device's MAC address.