NOTE, things may change!

Last updated : Mon Mar 29 21:40:21 2004

While this document attempts to be accurate, we may need to make changes (at little or no notice) to the way that the Laptop network is configured. We will make reasonable efforts to inform users of changes especially if they are likely to affect their use of the network, but cannot guarentee availability.

At some point we hope to have a technical description of the network for those who need more detailed information or want/need to implement their own authentication clients etc. If you want to connect up something unusual, or have your own client please let us know.

Laptop network setup

Laptop network

In order to be able to connect a machine to the CMS laptop network the machine must be configured in such a way that we can provide it with a (private) network address, set up the DNS resolver etc.

The simplest way to ensure that most things get set correctly (and automatically) is to configure the machine must obtain it's network address, DNS resolver settings (and some other settings) using DHCP.

Due to the way that this network is set up web browsers (Netscape, IE etc), need to be configured to use our local web proxy. The simplest way for most browsers to achieve this is to configure them to load a Proxy Autoconfiguration Script from the URL:

which contains all the needed setting.

To aid with setting things up we have more detailed instructions for some common types of machines/browsers:

For any other type of system you may need to ask for help.

Network Time config

If you plan to configure your machine to use a network time server (NTP), this should be able to use the settings picked up from the DHCP server. If your system does not pick up the settings automatically then you should set the NTP software to use:
as the server address. e.g. on unix systems edit the file /etc/ntp.conf or /etc/inet/ntp.conf etc to contain the line:

     server version 3
For instructions on how to configure other operating-systems to use NTP see (for example), Robin Walker's cmtips page, though please remember to enter as the NTP server!


NOTE: Printing as described here only works if you are authenticated. If you are not the print jobs will be silently dropped.

We support 2 methods of printing from laptop client machines:

See the how to print document for more details.


Once you have a machine configured and plugged into the Laptop network, you can already do some things without any further effort: If you need to do other things such as: etc, you will need to authenticate against the laptop server.

There are 2 ways to authenticate, with the tool provided (download from here), or via a web browser (if you don't want to use the provided code).

We currently have the following versions of the Laptop authentication tool for download:

Last updated 2004-Jul-19 JSP.

You may have to Shift-Click the appropriate link to get your browser to download it.

To use this tool, download it and run it. Windows users may wish to create a Shortcut to the lauth.exe program including their login-name on the command line. This will start the program defaulting the Username to this value. Similarly unix users might start lauth or lauth.tcl from a shell script or create a shell function or alias with their login-name on the command line.

The Windows and Intel/Linux executables were built from the TK/TCL with freewrap, version 0.561 (the linux lauth.glibc21 version uses version 0.54).

The linux lauth.glibc21 binary is suitable for use on systems with glibc 2.1 (and 2.2), e.g. RedHat 6.0 though 8.0. The linux lauth binary is needed for versions which ship with glibc 2.3 e.g. (RedHat 9), although it also seems to work on our RedHat 8 systems (which have updated versions of glibc). In general test the lauth binary first, and only if that fails try the .glibc21 version..

The MacOSX version was built with TclTkAquaStandalone-8.4.2, see the tcl sourceforge progect for details. To install this download the file, and double-click the .dmg file, this will mount it as a disk-image. Copy the Lauth application onto your local disk so you can run it without needing to mount the .dmg file each time. Note that while the .dmg file is only ~2M the application is nearly 7M when installed since the .dmg file is in a compressed format.

The TK/TCL and expect versions may (of course) need the path to wish or expect editing. You probably need to make them executable as well of course.

Anyone finding any problems with these or wants to volunteer to loan us any systems not currently supported should contact in the first instance.

Running lauth you should see something rather like:

lauth running

Enter your login name and password and hit the Login button. This should be sufficient. To stop lauth before logging out or unplugging the network, use the Logout button. The Quit menu item will logout (if you are logged in), and exit from the application.

To authenticate with a web browser, start the browser and go to the URL:

This will prompt for a username/password (issued when you applied to use the laptop network).

auth dialog

Once you have authenticated you will see a web page which will refresh periodically. While that web page is current your machine is authenticated and can use other network facilities.

auth web page

Login details and passwords

Everything done from a machine authenticated as a user will be assumed to have been done by that user.

Do not give your password to anyone else -- this would mean that the logs would show you rather than them. While you may trust a given individual, it is against the rules [ADD LINK TO RULES?] for use of the network (we are required to be able to say who caused network traffic in case of any abuse/complaint).

Normally we would suggest changing the password you are issued with, but currently we have no good mechanism for doing this. If you believe that your password is known by someone else, please contact one of the COs and we can reset it. Hopefully this limitation will be removed soon.

NAT and Logging

Machines on the Laptop network are allocated addresses from a private range. Most forms of access to the outside world will require public addresses and so a network address translation (NAT) is done by a local server.

Occasionally you may need to use protocols which may not operate properly when used through NAT. In most cases there is an another way to perform the task, please contact us if you have problems and we may be able to suggest other things to try.

Under local and national academic rules we are required to know who is using a machine before it may be permitted to use networking resources, and to keep logs should we be required to identify abuse or mis-use.

As a result we must log not only all authentications but also details of all connections attempted while a machine is using the laptop network.

Such logs are held under the terms of the Data Protection Act (1998). Some of the information logged may sufficient to be considered an interception under the Regulation of Investigatory Powers Act (2000), though most of it is simply Traffic Data.

Of course we will keep such logs private and only disclose them as required by the authorities.


This notice is to inform users that logging of: will take place for the first packet in each set of related packets (e.g the first in a tcp connection or flow) sent over the network.

The act of authentication/deauthentication is logged and those logs contain:

The IP address allocated to the machine and the inbound-interface contains some information about the physical location of the client machine. At some future time we may log more detailed location information (wall-port/room number etc).

In addition some actions may (of course) result in logs being stored elsewhere (e.g. on border firewalls or in web proxies elsewhere etc).