This role is assigned to workstations (Windows, macOS, Linux) that are well-managed by Ohio State IT (Information Technology) teams but are not assigned to an individual faculty, staff, or student employee. Most computer labs, classroom workstations, kiosks and similar will be assigned to this network role. Certificate authentication and authorization (via Shared Directory and Endpoint Services) is required. Some network switch ports are statically assigned to this role to facilitate remote re-imaging of labs and classrooms.
Network role at a glance:
- Wi-Fi (eduroam) and wired connectivity options available
- Public IP addressing
- DHCP reservations are not supported. Dynamic DNS used instead
- All outbound traffic permitted
- Inbound traffic limited to management tools
Network Role Characteristics
Aliases for this role include
- public workstation
- osulan-public
Network Traffic Permissions
No outbound traffic limitations are applied to this network role.
Inbound traffic is limited to:
- IT management tools (e.g., Active Directory, Config Manager, Jump hosts, etc.)
- Remote access tools (e.g., Guacamole, RDP gateway, etc.)
How to connect
Ohio State IT staff must configure the device to use a computer certificate to connect successfully to this network role. The device’s certificate must be issued and chained to a root that has been trusted by OTDI (Office of Technology and Digital Innovation) network authentication and authorization services. If the device is bound to Shared Directory and Endpoint Services (including Ohio State’s Jamf), that trust is already in place. Reach out to OTDI Networking for any questions regarding certificate issuance for network authentication and authorization. Once configured, connect the device to a wired port on OTDI’s Managed Network Service or choose eduroam from the list of Wi-Fi networks.
IP (Internet Protocol) Addressing
Devices placed in the public workstation role are assigned to publicly routable IP address space. All IPv4 addresses are dynamically assigned through DHCP, and address reservations are not supported. IPv6 addresses are established through IPv6 route advertisements and neighbor discovery processes.
After receiving an IP address, the campus DHCP service will dynamically create a DNS A record for the endpoint in the DNS zone bcd.it.osu.edu. For example, an endpoint with hostname “OH12345678” would have a DNS record of OH12345678.bcd.it.osu.edu. In the event the endpoint has no configured hostname, the mac address of the device will be used instead.
Additional Information for IT Teams
CMDB configuration records in Service-Now for these public workstations will indicate a Network Role value of “Public”. This network role is functionally identical to the standard workstation network role but has been segmented so network access policies can be applied differently for public workstations.
For instance, firewall rules can be written to allow standard workstations access to specific applications and services while disallowing access from public facing workstations.