Main Nav

Since everyone has been talking about tools they use today, I thought I’d expand the question of management tools to include NAC. I’m using Bradford Networks’ Campus Manager and I’m looking at a pretty big price tag to upgrade it to meet our capacity needs. What is everyone else using? Are you happy? Is it worth the money?

 

I’m especially interested in anyone using NAC at sites with over 30,000 wired ports and a fairly large wireless network (in my case 1400 Aruba access points).

 

Thanks,

Bruce

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We use Bradford with 36,000+ ports and pushing toward 1900 access points. I loved the price when we first purchased it but that was back in 2004. I thought it was worth every penny spent on it. 2005 was better when they came out with CSA. I have seen quotes for new installations of our size and after I choked a bit, I would have to seriously think about every solution out there now. When you cross our Board of Trustee's threshold for what requires their approval, it becomes a huge project. We missed a lot of that because of getting in early and all the work we do with them. I still like their solution, but we have also leveraged the heck out of it so moving to another platform would require a ton of rewriting existing tools that use the data from Bradford. I have mentioned to them the issue with their prices being a bit excessive now. While I know they are competing against Cisco and Cisco's ridiculous list prices, Cisco also can give you 50-60+% discounts off list price. I still think it is a great solution though. Try getting Cisco to give you access to your data in their database. :-) Mark… From: "Klein, Bruce E." > Reply-To: The EDUCAUSE Network Management Constituent Group Listserv > Date: Thu, 1 Dec 2011 16:22:31 -0500 To: > Subject: [NETMAN] Network Access Control Since everyone has been talking about tools they use today, I thought I’d expand the question of management tools to include NAC. I’m using Bradford Networks’ Campus Manager and I’m looking at a pretty big price tag to upgrade it to meet our capacity needs. What is everyone else using? Are you happy? Is it worth the money? I’m especially interested in anyone using NAC at sites with over 30,000 wired ports and a fairly large wireless network (in my case 1400 Aruba access points). Thanks, Bruce ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
On 12/1/2011 4:22 PM, Klein, Bruce E. wrote:

Since everyone has been talking about tools they use today, I thought I’d expand the question of management tools to include NAC. I’m using Bradford Networks’ Campus Manager and I’m looking at a pretty big price tag to upgrade it to meet our capacity needs. What is everyone else using? Are you happy? Is it worth the money?

 

I’m especially interested in anyone using NAC at sites with over 30,000 wired ports and a fairly large wireless network (in my case 1400 Aruba access points).

 


We're running CM with ~23000 wired ports and just over 400 Aruba APs, using two pods (NAS/NCS pairs), on the latest software.  It is not without it's faults, and it is decidedly running more than the recommended load for our hardware, but it is generally tolerable given the payback.  The biggest complaints are the usual ones you get with any NAC -- nobody seems to be happy about registering their devices, patching their systems, or being quarantined for virus activity.  Of the three, we have relaxed the policy/patch/remediation over time and now employ the "delayed remediation" where you simply get warned about compliance without being forced to remediate for a period of time.

All of resnet and wireless is managed, and we have about 2/3 of the campus and growing.  We will be expanding wireless going into next fall but won't be anywhere near your 1400 count.

We run a mix of Cisco, HP, Foundry/Brocade, and 3Com switches in addition to the Aruba wireless. 

Our network is highly segmented (VRFs plus role-based subnets/vlans) as opposed to the more typical university flat approach.  With that said, it has taken a number of years to get to this point (from a typical flat network, with the associated headaches).

There isn't much competition when it comes to being vendor-agnostic as well as supporting real role-based layer-2 / vlan separation.  If you are willing to give up one or more of those, there are other alternatives.

We have tried other scenarios, from home-grown, to NetReg, to Perfigo, and Clean Access.

Jeff
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

The question in my mind is: Why do we need NAC? Given all the costs and headaches, both labor and vendor costs, do we really get a return on our investment that justifies it?

 

Pete M.

 

On 12/1/2011 6:32 PM, Peter P Morrissey wrote:

The question in my mind is: Why do we need NAC? Given all the costs and headaches, both labor and vendor costs, do we really get a return on our investment that justifies it?


If you take the SANS point of view with regard to security controls (assuming we need security controls) then some form of NAC or a very reasonable facsimile thereof is required for a number of them (most notably #1):

20 Critical Security Controls - Version 3.0




   http://www.sans.org/critical-security-controls/

The same essential list is also from CSIS,

   http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf

Jeff
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Hi, Bruce.  We have an Aruba wireless system too, but with about 5% of the AP’s you have.  We have Impulse Point Safe*Connect as our NAC and have been very happy with it.  Safe*Connect integrates with Aruba, allowing newly connected users to be assigned a limited role in the controller (i.e. only access to remediation sites) and then get promoted to a better role upon achieving compliance with NAC policies.  For wired ports, it does Layer 3 switch manipulation to put newly discovered users into quarantine until they meet requirements.  The product is delivered as a managed service, whereby we have a small server in a rack that they do all the maintenance on.  We have a control panel where we can manipulate the policies that we want the system to enforce, and it just works.  It works so well, I managed to forget how to get into the control panel because I didn’t need to for almost a year.  Our old NAC system required a lot more attention, and I don’t miss it.

 

I would be happy to discuss off line if you would like more feedback…

 

Cheers!

 

Charlie

 

 

Charlie Prothero

Chief Information Officer

 

Keystone College

Information Technology Building

One College Green

P.O. Box 50 • La Plume, PA 18440-0200

570-945-8015

 

 

That’s actually a good answer, thank you for sharing it. I had not seen these, and I wouldn’t be inclined to argue with CSIS or SANs when it comes to security. Where It gets interesting is when you break it down. I do believe you need some aspects of NAC, but wondering if it is all needed in the most conventional sense. For example, we already do Critical Control 1 through 802.1x as well as other means. I don’t see a way of avoiding the need for that for a number of reasons. I think Control 2 starts to raise some questions. Here I think is where we have to clarify in our minds our different groups, as well as our goals. I think we have to separate students and staff/faculty. For students I don’t ever see us inventorying their software. I don’t think anyone does that today even with NAC unless you are looking for P2P software. For staff and even now for faculty we are using AD to do all of that and more for devices that handle any sensitive information (including disk encryption). But is it our responsibility to prevent data loss for student devices? In my humble opinion, the answer to this question is no. Is it our responsibility to attempt to prevent their devices from getting infected? I think some make a pretty good case that it makes some sense for us to take some reasonable measures if we can, but as soon as they move off campus, they don’t have such controls and they seem to survive along with all the other grownups who are left to deal with this on their own.

 

The reason we started using vulnerability assessment and enforcement features of NAC was really to prevent our network from being taken down by a worm based attack in order to ensure that we can provide a reliable network service. This feature allows us to make sure Windows auto updates and the firewall are turned and check for updated AV software. Given MAC OS and Windows have been coming with the firewall turned on by default for quite a while, I wonder if this is as important. Sure, some will turn it off, but how likely is it to have a network based attack given that most of them will likely have no inclination to go in and turn off the firewall?  I would also say plenty of individual student machines get infected in spite of having AV software running on them. In our case we now have students using more Macs than PC’s and we don’t do any vulnerability assessment or enforcement on those devices. I realize some schools do require AV software for Macs, but I don’t know how effective this is at prevent security issues with Macs. I don’t believe there is a way on a Mac to require automatic auto updates of the OS though.

 

Another thing that NAC does is give us the ability to quarantine systems. Without some type of NAC, we do have the ability to get machines off the network, but what we would miss is the ability to display a web page informing the student of the reason and possibly giving them the limited access they might need to remediate a problem. But that feature is fairly easy to implement without a full-fledged NAC system.

 

Pete Morrissey

 

The question of ‘to NAC or not to NAC’ also has roots in your interpretation of CALEA. Some interpretations suggest that you can be considered a private network, and therefore not subject to CALEA, if you know who is using your network when and from where.

 

We use Campus Manager on the campus except for the dorms (because we outsourced the dorms to Time Warner Cable. When their device is off the dorm network, it must be registered. We do not use the NAC for wireless as we have Aruba and they must authenticate to use it.

 

We are also looking into the NAC market for another reason, we are in the beginning stages of IPv6 deployment. Anyone out there know of a NAC that is fully IPv6 ready, or will be in the next 6 months?

 

 

----   Mark

 

++++++++++++++++++++++++++++++++++++++++

 

Mark Bauer

Assistant Director of Network and Technical Services

Network Administrator

Skidmore College

815 N. Broadway

Saratoga Springs, NY   12866

Phone:  518-580-5996

e-mail: mbauer@skidmore.edu

 

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

"Anyone who has never made a mistake has never tried anything new."

"We can't solve problems by using the same kind of thinking we used when we created them."

 

Albert Einstein

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Bohn
Sent: Friday, December 02, 2011 8:36 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Network Access Control

 

On 12/1/2011 6:32 PM, Peter P Morrissey wrote: The question in my mind is: Why do we need NAC? Given all the costs and headaches, both labor and vendor costs, do we really get a return on our investment that justifies it? Aside from everything that has already been said on this subject, I can sum it up with one date: August, 2003. With most universities not having a NAC solution with any sort of remediation at that time, Blaster and Nachi crippled most university networks. Life was hell for university network managers. The NAC headaches are much less painful. Mark… ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

The big reason a few years back was to ensure posture enforcement. To prevent certain older OS’s from coming on the network, making sure the systems were fully patched, enforcing antivirus with CURRENT definitions, and restricting network access by authentication policies. MAC tracking is a side-benefit but it’s really the posture/policy enforcement and network restrictions.

 

As time has marched on more and more vendors are doing different aspects of this. Firewall vendors are now offering IPS and more advanced filtering capabilities to prevent viruses from spreading and even getting on campus. In the case with Aruba as you are running their solution for wireless 802.1x can be used with pairing ACL’s to provide the network access restrictions. Windows by default will auto-install any critical patches by default now which resolves a lot of issues of years past with network-based viruses.

 

So what is left for NAC to fill in? Enforcing anti(virus/spyware), firewall configurations, and minimum OS requirements. Depending on your organizations responsibilities for support of student’s personal computers and the time taken for support it may prove useful.

 

Depending on your network infrastructure and organizations attitude to open-sourced solutions but PacketFence (www.packetfence.org) and FreeNAC (www.freenac.net) are two options which have a much cheaper upfront cost. Commercial support is available if wanted for PacketFence.

 

 

~Patrick

 

 

Patrick Goggins

Senior Systems Administrator

University of Wisconsin - Green Bay

 

 

All,

This is a really great discussion on NAC. We had the same discussion at Washington and Lee over a year ago about how we were going to handle NAC on our wired and wireless infrastructure. At that time, we were in the process of consolidating our wireless infrastructure to Aruba and had a Nortel / Avaya L3 and L2 network. We had deployed Bradford in the dorms, before I arrived, in 2005 – 2006. From what I've been told, it was extremely hit and miss. Bradford would incorrectly quarantine people and would also have trouble flipping VLANs on the older Nortel / Ayava gear. The real issue, from my perspective, was that it required so much attention – almost 1/4 FTE – to monitor and maintain the system. To be fair, the Nortel / Avaya switching gear isn't the most robust equipment known to man, and things may have been different if had a different vendor at L2.

For us, this really came to a head after we consolidated and re-designed our Aruba wireless infrastructure. We were all thrilled with the role-based design that Aruba offered, and frankly, I thought that Bradford was going to jack it all up. We decided to scrap the NAC project for the time being and come up with some alternate solutions.

Here's our current security posture. First, we rely heavily on Netflow / J-Flow stats from our layer 3 infrastructure. We pipe all of this information to a Juniper Security Threat Response Manager that produces reports and statistics on malicious traffic on our network. Our second solution has to do with the new wireless reality. The students simply do not use the wired infrastructure. They will bend over backwards for the ease of mobility. When a student comes on our network they are presented with an open SSID and a secure, WPA2-E SSID. The student first logs into the open SSID, offers their credentials, and is redirected to Cloudpath's XpressConnect. XpressConnect will do a one time posture check on their device before they are allowed on the secure network. It can verify Windows service packs, Mac OS levels, iOS revisions, Android, Linux, you name it. We make sure that a Windows client has an up-to-date AV and an enabled firewall. For the Macs, we enable their firewall and make sure that they have an up-to-date OS revision. 

The question became, "well, couldn't they just keep logging into a portal page?" The short answer is, "Yes." The way that we were able to lead that horse to water is by blocking the following websites on our open network:  Facebook, Hulu, Netflix, Twitter, Myspace and ESPN. We could have just blocked Facebook and that would have done the trick. Our stats show that we have a 96% student take rate on the secure network and a 99% take rate by the faculty / staff. The Cloudpath Xpressconnect solution provides us with a "dissolvable," one-time check to make sure that all machines are up-to-date before they connect to our secure network.

At the end of the day, we still have a security issue with the amount of open wired ports on our network. I am currently evaluating Aruba's S3500 switch that could provide the same role-based access as their wireless infrastructure. I've also spoken with Impulse about their Safe Connect solution and was really impressed. I'll also re-evaluate Bradford to give them a fair shake since we're moving to a Juniper L3 and L2 infrastructure. 

-Mike

--
Mike Courtney
Network Manager
Washington and Lee University
Information Technology Services
117 Tucker Hall
Lexington, VA 24450
Office: (540)-458-8337
Cell: (540)-632-9753
Campus Extension: 8337
mcourtney@wlu.edu

From: Dennis Bohn <bohn@ADELPHI.EDU>
Reply-To: The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@listserv.educause.edu>
Date: Fri, 2 Dec 2011 08:36:06 -0500
To: "NETMAN@listserv.educause.edu" <NETMAN@listserv.educause.edu>
Subject: Re: [NETMAN] Network Access Control

Just a few comments/additions...

On 12/2/2011 8:54 AM, Peter P Morrissey wrote:

we already do Critical Control 1 through 802.1x as well as other means. I don’t see a way of avoiding the need for that for a number of reasons.


Most .1x implementations are "red/green" (needs authentication/admittance vs production) but do provide basic authentication and inventory.  Do you get the complete tuple of accountability (MAC, IP, physical host, switchport, userID, granted access/role, connect/disconnect times)?  We have .1X on our new WPA2 wireless, but could not afford the forklift upgrade to get all of our wired ports to the same status (we are well below peer averages in network budget, most of our access layer is a decade old...)

For staff and even now for faculty we are using AD to do all of that and more for devices that handle any sensitive information (including disk encryption).


AD certainly has it's merits, but you should also consider how many credentials are leaked / stolen / phished.  We have a much higher-than-I-anticipated level of phished credentials that are then turned around and used to blast spam through our authenticated gateways.  If you are single signon, you are lucky that they were only used for that purpose and not something more nefarious (accident waiting for a place to happen).


Given MAC OS and Windows have been coming with the firewall turned on by default for quite a while, I wonder if this is as important. Sure, some will turn it off, but how likely is it to have a network based attack given that most of them will likely have no inclination to go in and turn off the firewall?


Granted most network-initiated threats have subsided, with some exceptions (most recently, MS11-083).  But we still see layer-2 threats (e.g., rogue DHCP intercepts, supplying MITM snooping and/or DNS redirection; a whole host of IPv6 misdirection; autodiscovery / autoconfiguration manipulation)).

 I would also say plenty of individual student machines get infected in spite of having AV software running on them.


Yes, and faculty and staff ones too!  Prevention is an ever-increasing challenge, and a battle that I don't think can ever be won.  Post-incident detections are getting better (IPS and other tools picking up C&C or other phone-home activity of the malware), we just need the tools for isolation and/or remediation of the identified victims.  NAC helps to avoid whack-a-mole (you isolate the victim, they plug in another port, move their laptop, switch to wireless, etc).

There are a number of tools that accomplish the desired results, but they are generally piecemeal.  Out of that "tuple of accountability" mentioned earlier, you can easily get a few pieces of the puzzle from one source, but it is difficult to integrate/aggregate the parts (unless we dish out another truckload of cash for a SIEM solution to consolidate the bits after-the-fact).

Jeff
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Has anyone tested Microsoft’s NAP solution?  I have it running in a test environment now.

 

Jason Rinne

Systems Administrator

500 E. College Street ∙ Marshall, MO 65340

P 660-831-4088 

rinnej@moval.edu



This document may contain confidential information and is intended solely for the use of the addressee. If you received it in error, please contact the sender at once and destroy the document. The document may contain information subject to restrictions of the Family Educational Rights and Privacy and the Gramm-Leach-Bliley Acts. Such information may not be disclosed or used in any fashion outside the scope of the service for which you are receiving the information.

 

Message from pt307@cam.ac.uk

On 02/12/2011 13:57, Strandskov, Mark D. wrote: > Aside from everything that has already been said on this subject, I > can sum it up with one date: August, 2003. With most universities > not having a NAC solution with any sort of remediation at that time, > Blaster and Nachi crippled most university networks. Life was hell > for university network managers. The NAC headaches are much less > painful. I'd argue that designing a robust network topology -- i.e. segregating your buildings with VLANs, using security features on your access switches (DHCP snooping, ARP protection, MAC->IP binding, port isolation, etc.), and maybe throwing in a firewall with UTM features could mitigate the main threat posed by malware while reducing the NAC headaches and continuous attention they need. We've recently done away with Bradford Campus Manager in favour of the above solution and it - coupled with a few other changes - has actually *reduced* call levels to our Helpdesk, while the network has remained rock solid and user satisfaction has been greatly increased. But, as always, I guess YMMV. Paul -- Paul Townsend, Assistant Computer Officer Homerton College, University of Cambridge ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We are running it with our Aruba install on the wireless side without any issues.

 

 

~Patrick

 

 

Patrick Goggins

Senior Systems Administrator

University of Wisconsin - Green Bay

 

 

 

Message from dannyeaton@rice.edu

We use Cisco Clean Access (started with version 4.0.0.0, now running 7.8.2). Our network setup is based off network segmentation, using MPLS/VPN's, so the student network (or "resnet") is campus wide. We looked at Bradford, but they couldn't go VLAN assignment by name, which is what our design required.
We've been using Bradford Campus Manager for several years--since 2004 I think.  I appreciate questioning the need for a NAC or any other technology that has been in use for a long time.  I wouldn't be comfortable with doing away with a NAC solution, though I'm not a big fan of Campus Manager's performance or pricing. 

I too remember August 2003, before we had NAC, and it was just horrible.  I mentioned this thread to our acting Help Desk manager over lunch.  She was of the opinion that NAC reduced the support burden on the Help Desk staff.  She also made a good point that some institutions by policy don't provide comprehensive support for personally-owned equipment, or to student computers, and that NAC may not be seen as necessary by support staff at those institutions.

Ted Fines
Macalester College

I have to second what Ted said.  We had horrid problems before we had NAC.  While one can argue that a student’s computer isn’t our problem, it can become just that if it malfunctions badly enough to create service issues for other students.  Finding a malfunctioning computer in a wireless environment, especially the old one we had a while back, was a challenge for us.   Since we’re in a rural area, and there is not a convenient PC shop nearby, we pretty much help students with everything short of hardware repairs and OS reloads.  Not being able to get past our NAC is a key reason students visit us for help.  Some express annoyance that our “stupid system” is telling them their antivirus is no good, even though they can see it’s running.  We then have to explain that the complimentary subscription they received with the machine expired (sometimes long ago) and that they aren’t getting protection from the latest badware.   We then install ESET or Security Essentials for them, and often need to do extensive delousing.  Yes, this can get time consuming, but I think it’s better for all involved.  Maybe a little more expensive, but better, and consistent with our institutional culture of supporting students in every way we can.

 

Cheers!

Charlie

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ted Fines
Sent: Friday, December 02, 2011 5:29 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Network Access Control

 

We've been using Bradford Campus Manager for several years--since 2004 I think.  I appreciate questioning the need for a NAC or any other technology that has been in use for a long time.  I wouldn't be comfortable with doing away with a NAC solution, though I'm not a big fan of Campus Manager's performance or pricing. 

I too remember August 2003, before we had NAC, and it was just horrible.  I mentioned this thread to our acting Help Desk manager over lunch.  She was of the opinion that NAC reduced the support burden on the Help Desk staff.  She also made a good point that some institutions by policy don't provide comprehensive support for personally-owned equipment, or to student computers, and that NAC may not be seen as necessary by support staff at those institutions.

Ted Fines
Macalester College

We use Cisco's NAC, inline mode. We installed it last year. Some of the issues I have with it are:

1) We allow students to bring in their own Access Points since we do not have wireless in the dorms. Cisco's out of band solution cannot work with this setup so we had to deploy it In Band.
2) There have been issues with the client installing on Vista and Macintosh in the past. We had to intervene and help the student install the client. These issues were eventually worked out in later code but was a pain in the ass nonetheless.
3) The client is not flexible enough. An example: I'd need it to to make sure students can't bridge their wired and wireless adapters. It seems like a simple thing to check for. Cisco can't do it.

If I were to do it again, I'd look for or hold out for a clientless solution. I feel it's a little invasive to the student and there are issues related to installing the software in the first place. Maybe someone will come up with an IPS-like solution that can tell if someone has updates or AV by watching the packets. Maybe someone has already.

One thing I can be certain of is that our helpdesk calls went up since installing the NAC and we haven't even gotten to the point where we're applying any policies. We're just gathering information now in preparation for applying the policies. Next year we'll start applying the security policies.

To be honest, if there was a good commercial solution for just doing one time registrations of devices and no applying of policies, I'd probably go in that direction. I'm sure it would be a lot simpler and cheaper. If anyone knows of any, please let me know.


On 12/1/2011 4:22 PM, Klein, Bruce E. wrote:

Since everyone has been talking about tools they use today, I thought I’d expand the question of management tools to include NAC. I’m using Bradford Networks’ Campus Manager and I’m looking at a pretty big price tag to upgrade it to meet our capacity needs. What is everyone else using? Are you happy? Is it worth the money?

 

I’m especially interested in anyone using NAC at sites with over 30,000 wired ports and a fairly large wireless network (in my case 1400 Aruba access points).

 

Thanks,

Bruce

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from dthibeau@post03.curry.edu

Greetings members, I'm curious to know what product folks are using for Network Access Control for student laptops/computers/handhelds. This would include products like "Sentriant", "Safe Connect", etc. I'd also be curious to hear from people are NOT using any product to ensure student computers have up to date anti-virus, windows patches, etc. Thanks in advance, Dennis Thibeault, CIO Curry College
We use Cisco Clean Access.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


As do we....

+++++++++++++++++++++++++++++
W. Lee Hisle
Vice-President for Information Services
  and Librarian of the College
Connecticut College
New London, CT
(860) 439-2650
www.conncoll.edu/is


Impulse Safe Connect http://www.impulse.com/downloads/Dell_Impulse_Northern_AZ.pdf Chris Michels Director of Computing and Communication Systems Information Technology Services, Northern Arizona University
Dennis, We're an Enterasys shop - we use their product eNAC. _______________________________________ Steve Swartz Chief Information Officer & Assistant Vice President Fitchburg State University 160 Pearl Street Fitchburg, MA 01420-2697 Office: 978-665-4444
Dennis,

We use SafeConnect for offices, Resnet, etc. etc.  Wireless and wired.

Ken Schindler/SVSU


From: "Dennis Thibeault" <dthibeau@POST03.CURRY.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, December 7, 2011 11:28:24 AM
Subject: [CIO] Network Access Control

Greetings members,

I'm curious to know what product folks are using for Network Access Control for student laptops/computers/handhelds.  This would include products like "Sentriant", "Safe Connect", etc.  I'd also be curious to hear from people are NOT using any product to ensure student computers have up to date anti-virus, windows patches, etc.

Thanks in advance,
Dennis Thibeault, CIO
Curry College
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We’ve used Bradford Campus Manager for past few years with mixed success.  It’s very good at making sure students comply with the rules for anti-virus and windows updates but it is not very user friendly, especially for first time freshman students coming to campus every fall.  In the beginning it was our policy to not allow any students on the network until their computer had all the latest updates and this was a disaster.   Depending on the status of the student’s computer it would take in some cases hours for the updates to complete and resulted in our Help Desk being overwhelmed and students very frustrated.   Coming to live on campus as a freshman is stressful enough and not having immediate access to internet and network services only added to the stress.

 

I would be curious to learn how others have handled residential student network access for the start of the fall semester.  Do you allow your students to ‘settle in’ and get through student orientation before forcing compliance with network access controls?  Do you phase it in over a period of time in the beginning of the semester and what types of advanced warning is given to students. 

 

Regards,

 

Rick.

 

Rick Kubb

Director of Technology Services
Maryville University
314-529-9606

Gander Hall, Room 215

rkubb@maryville.edu

 

We just had some discussion on the Netman list about NAC.  If anyone wants to peruse the archive, the thread was titled “Network Access Control” and it started on Dec 1.   At Keystone College, we use Safe Connect and require that Windows Update be turned on and an active/updated AV package exist.  There is no settling in period – students must comply from day 1.  We only relax the requirements during the summer when we have conference attendees staying on campus.  Some conference attendees bring employer-owned laptops and do not have admin rights to install the Safe Connect policy key or fix anything they might fail for.

 

Cheers!

Charlie 

 

Pretty much the same here.  We warn them and list the requirements before they come on campus – those that follow the instructions usually pass without help.  We see a lot of students in the beginning two weeks of a semester because of NAC, but many of the students that need help to pass have really out of date computers and no clue on how to fix them – our Mac users seem continuously surprised that there even are patches made for them…. These are all students who might have information stolen or virus passed across if they aren’t protected, so we don’t phase it in and instead have a very busy first couple of weeks.

 

- Steve

 

We also have been using Bradford for a few years. It has resulted in good control over who is on the network and has reduced virus and malware issues for students. At first we opened it only to Symantec--which we provided. That was a LOT of work. This past year we opened it up to 8-10 common anti-virus programs as long as the version and virus definitions were up to date. That helped tame the number of assists a bit.
 
One thing we have done this year and last was to encourage incoming students to bring their laptop with them to the 2-day "Passport" session we run four times per summer. We set up a "First Aid" station in a common student area for an afternoon, and students were able to set up their wireless connections at that time so that come September it was "plug and go." We allowed parents to sit with them if they wanted--something we may change in upcoming years. We do not allow the parent to "proxy" for their son or daughter, however. The student must be present. It did help reduce the support burden for September by about 25%. (120 helped during Passport out of 495 total students assisted).
 
All of our requirements are communicated ahead of time. Perhaps a percentage of the coming students pay attention to it. During Passport we include some of this information in the student "packet," and it is distributed to parents as well at an info booth and during IT sessions for parents--the room is always packed.
 
It can be a painful process to get this done as students arrive at campus, but I think it would be way more disruptive to try to do it any time after that (like herding cats).
 
Bill

 
Bill Vriesema 
Assist. Dir. of Technology Support Services
Calvin College Information Technology
Phone: 616-526-6762
HelpDesk: 616-526-8555
Fax: 616-526-8550
bvriesem@calvin.edu
************************
certified: HDM, HDA, ITIL, A+
>>> "Kubb, Richard" <rkubb@MARYVILLE.EDU> 12/7/2011 2:32 PM >>>

We’ve used Bradford Campus Manager for past few years with mixed success.  It’s very good at making sure students comply with the rules for anti-virus and windows updates but it is not very user friendly, especially for first time freshman students coming to campus every fall.  In the beginning it was our policy to not allow any students on the network until their computer had all the latest updates and this was a disaster.   Depending on the status of the student’s computer it would take in some cases hours for the updates to complete and resulted in our Help Desk being overwhelmed and students very frustrated.   Coming to live on campus as a freshman is stressful enough and not having immediate access to internet and network services only added to the stress.

 

I would be curious to learn how others have handled residential student network access for the start of the fall semester.  Do you allow your students to ‘settle in’ and get through student orientation before forcing compliance with network access controls?  Do you phase it in over a period of time in the beginning of the semester and what types of advanced warning is given to students. 

 

Regards,

 

Rick.

 

Rick Kubb

Director of Technology Services
Maryville University
314-529-9606

Gander Hall, Room 215

rkubb@maryville.edu

 

We are using PacketFence and have been very pleased with it.

 

Brent Harris

Associate Vice President for Information Technology

Office 254-295-4658 Fax 254-295-4221

UMHB Box 8005 900 College Street Belton, Texas 76513

 

We too have Aruba and are running SafeConnect from Impulse Point.  It's been a good fit for us for about 3 or 4 years now.

-- Scott


We run all student connection through SafeConnect--wired and wireless.

           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein


Recommend

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.