One Campus, Many Devices
Print Issue: May 2014
Want to get on the wireless network at North Dakota State University (NDSU)? It used to be that you had to get in a long virtual line to get your devices authenticated, until NDSU came up with a solution that balances security with convenience.
Located in Fargo, the university is ranked by the Carnegie Commission on Higher Education among the top 108 public and private universities in the country. With an enrollment of more than 14,000 students and more than 6,200 employees, the campus information technology division has to grapple with the challenge of thousands of devices connecting to the university network 24 hours a day, seven days a week. “The average student or employee typically has two to three wireless devices connected to the network at a given time,” says Theresa Semmens, chief information technology security officer at NDSU. During the academic year, more than 20,000 unique devices per week connect to wireless.
The types of devices on the campus network are vast. For its faculty and staff, which includes some student workers as well as full- and part-time employees, NDSU issues mobile devices. In addition, the campuswide bring your own device (BYOD) policy greatly diversifies the types of devices authenticating to the university network. “Since we are a university with residence halls, we have absolutely everything trying to show up on our network, from PlayStation 3s to Wiis to laptops,” adds NDSU senior software engineer Richard Frovarp. “So there’s been a bit of a challenge there, especially when it comes to consumer devices.”
To meet the high demand of devices on the network, the IT department recently completed a major project to expand wireless points of access across campus. This three-phase project included upgrading the electrical infrastructure in the university’s data center to handle the influx of data that would come with the additional wireless traffic, upgrading existing wireless access points in classrooms, and replacing wireless routers in the high-traffic public areas on campus. Now, NDSU has 851 wireless access points on its main campus, up from just 24 in 2005.
But even with more points of access and an upgraded wireless network, the IT department was still left with a major challenge: creating and maintaining secure certificates for every user. These certificates allow all the devices maintained by a specific user profile to securely authenticate onto the network.
When it comes to managing a Wi-Fi network, organizations typically do one of two things. They can allow for public access of their Wi-Fi networks, which wouldn’t require a username and password, or they can have a user log on each time. If they leave their network open for any users, unwanted or unauthorized devices can come on the network. However, protecting the network with usernames and passwords can add work for the IT staff in resolving help desk issues with forgotten passwords and account lockouts.
Certificates provide a more nuanced solution for authenticating users. Certificates are electronic files generated by a network’s central server that contain some type of information identifying the user of each device. When these files are installed on a device, a user can be authenticated onto the network because they are “trusted,” as the network recognizes their certificate.
In August of last year, the IT team at NDSU began looking into mobile device enablement solutions that would cut down on the amount of hours spent managing certificates. Eventually the IT team at NDSU came across XpressConnect from CloudPath Networks, a holistic solution that allows the university to manage its array of devices while maintaining security and efficiency.
With XpressConnect, the IT department can create certificates for all users and manage levels of access on the network for those users. IT’s workload shrinks because users can get the certificates themselves in a “self-service” manner. A certificate is generated when users log onto the network’s captive portal page, the Web page that displays the university’s acceptable use policy and prompts for a username and password. After the certificate is downloaded onto that specific device, it’s valid for however many years the network administrator determines. Each time after that the user wants to log on to the wireless network, their device is automatically authenticated.
“It takes care of generating all the certificates, authenticating the users, absolutely everything for us, and it gives us the enterprise system that controls the four major operating systems, Windows on the desktop, Android, iOS, and Mac OS 10,” says Frovarp of the solution.
The IT staff set the certificates to five years, a limit that would accommodate the complete lifecycle of most devices. “We are operating under the assumption that the device would be replaced by then, so you don’t have to worry about expiration,” Frovarp notes. He explains that having tight requirements for regularly changing passwords would be a challenge, because then every password would expire over summer when a large percentage of the student body and faculty are gone, creating a “very large support hit when school came back.” The certificate does not rely on usernames and passwords, so when a student or staff member does change a password, that certificate does not need to be reissued.
The idea behind XpressConnect is to offer more flexibility for settings like higher education where a plethora of users with multiple devices might need different privileges. Traditionally devices are either untrusted or completely trusted. XpressConnect allows companies to create those midpoints in between when determining privileges for different devices.
Frovarp says that IT did run into some challenges when deploying XpressConnect. When NDSU initially rolled out the system, users who were attempting to log on to the network were directed to the captive portal page. The portal wasn’t allowing them to authenticate because XpressConnect was checking for a root certificate that many of the devices hadn’t seen before. “We learned [that] on the first day when all the students showed up, and we were able to work with network engineering to correct that,” he says.
XpressConnect has provided other benefits for the university students who operate beyond the campus boundaries. NDSU is a member of the eduroam network, a program that allows students to connect seamlessly to networks at other participating higher education institutions. With XpressConnect, IT has set up the enrollment process to automatically sign devices up on the eduroam network as well.
Steve Sobiech, acting executive director of enterprise computing and infrastructure and IT help desk manager at NDSU, says that the queue of issues to troubleshoot for students and staff has been greatly reduced since NDSU rolled out XpressConnect. He notes that every device is unique, depending on what applications are installed and specific settings the user might have configured on it, but most people find that registering the certificate is easier and takes fewer steps.
Marc Wallman, interim vice president for information technology, notes that before implementing CloudPath’s product, NDSU’s IT staff could hardly keep up with all the devices that started showing up on the network. “We just couldn’t do it. Before we did this we had lines like crazy at the start of the semester when all the students were coming back, bringing all their own devices,” he says. “That was really the main initiator for us—that this offered a way to be able to onboard these devices without us having to go through and know the nuisance of every single product.”