A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.
Even Midwest campuses suffer growing pains. In the case of North Dakota State University (NDSU), the implementation of a wireless network proved beneficial in allowing students and staff to easily connect, but the increase in help-desk calls quickly grew burdensome.NDSU has approximately 14,600 students, including undergraduate, professional and graduate students. There are more than 6,000 full-time and part-time employees at NDSU, which was founded as an agricultural college in 1890.
Its main campus is located in Fargo, N.D., with extension services and research experiment stations located all across the state. NDSU's wireless network spans two campus locations: the main campus and three additional NDSU buildings located in Fargo's downtown area. In total, NDSU's wireless is available in 89 campus buildings and two outdoor locations.
The school's information technology division has 75 staff members. Additionally, the IT division has approximately 50 student staff members who are employed through a work-based learning program that provides opportunities for NDSU students to obtain jobs in the IT field. The majority of student staff members provide walk-up customer service at the IT help desk. But, the queries coming in were becoming too much to handle.
The situation began when NDSU transitioned to extensible authentication protocol-transport layer security (EAP-TLS), an authentication framework using a popular open standard for wireless, in the fall of 2009. This was done using a custom-engineered solution that provided sign certificates to individuals. Included in the solution were instructions on how to configure the various operating systems.
“This solution has served NDSU well from a technological perspective, but presented problems from a support perspective,” says Richard Frovarp, senior software engineer at NDSU. Instructions needed to be maintained by hand, weren't frequently updated and required that the user could follow the steps, he explains. On some devices, the ability to see the instructions and act on them at the same time did not exist.
“Support lines during the first few days of each academic semester were excessive, and the existing solution did not make it quick to go through the steps, even for those who knew what they were doing, such as help desk staff,” says Frovarp, who is a software engineer with system administration experience and a concentration on integration of software and systems.
The problem he and his IT team were trying to solve was the user-support problem. The desire was to provide students and staff with an easy-to-use method to install the certificates. “This would reduce support times and hopefully provide a better experience,” he says.
A previous solution for onboarding people and devices to the campus wireless network was cumbersome and required a lot of work on behalf of faculty, staff and students, says Marc Wallman (left), interim vice president for information technology and CIO. “Lines at our help desk would become unacceptably long during the start of semesters when we had a lot of new students trying to get devices registered on our network.”
The challenge fell to Frovarp to find a solution. After Frovarp conducted initial research to establish a list of potential solutions, he gathered a team including department leadership, network engineers, IT security, help desk staff and communications staff to continue discussions to select the best tool for the campus community.
“The number of solutions that met our goals were extremely limited,” says Frovarp. “One solution was to externalize the operating system documentation, with the hope that it would be updated more frequently if it wasn't coded into the web application.”
The existing solution used Apple network profiles, which reduced the difficulty in managing OS-X and iOS, but still wasn't a perfect solution, he adds. For the Windows side, he reviewed SU1X from Swansea University and Gareth Ayres. This met the automation requirements for Windows, however, it didn't support EAP-TLS and would have required custom development to get to that step. “At that point, we'd have two custom solutions that would have to be maintained internally, at least in part,” says Frovarp.
His team also examined XpressConnect Wizard. It provided comprehensive installers and supported EAP-TLS. However, it would have required a custom back-end to serve up the certificates and do initial authentication, he says.
While inquiring about the XpressConnect Wizard, a representative from Cloudpath pointed out that its Enrollment System should meet all of the campus's needs. Juniper Networks has a product that looked similar to Cloudpath offerings, and, in fact, that Android client is provided by Cloudpath Networks.
The solution, Cloudpath Enrollment System, was chosen as it met more of the school's requirements than any other system, with what appeared to be a total lower cost.
The reasons, Frovarp says, is it uses the XpressConnect Wizard, providing support for the major operating systems. With the perpetual license, NDSU could host the appliance in its own data center. It had all of the mechanisms built-in to handle EAP-TLS. Additionally, the campus could easily configure it to work with its network, it can authenticate against its Active Directories, it has built-in support for workflow and acceptable use policy (AUP) acknowledgement.
“For cost, all of the above being built-in means that no developer time is required to build those features and maintain them as we had seen with our previous solution, says Frovarp. “It also should reduce the support lines, allowing support personnel to help more people in the same amount of time.”
Inner workings
Within the Cloudpath XpressConnect ES, the administrator specifies the workflow and the associated policies, such as SSID, VLAN, role, etc, for each type of user and/or device, explains Kevin Koster (left), founder and CEO of Cloudpath Networks. “These workflows define the requirements that the user must meet to be granted access,” he says.xq For example, a student may be required to accept a use policy, authenticate via Active Directory, and have a firewall running. XpressConnect ES ensures the user meets these requirements, including auto-remediation of NAC checks, and then places a unique certificate on the device along with the WPA2-Enterprise SSID configuration. For most operating systems, XpressConnect ES then moves the user automatically to the secure SSID, ensuring connectivity is established.
Similar to activating an iPhone on 3G, the enrollment process is a one-time event, Koster says. From then on, the device will simply authenticate normally using the certificate and WPA2-Enterprise as it enters the range of the network. Behind the scenes, XpressConnect ES will ensure the certificate is still valid, that the user is still active in AD or LDAP, and will assign the appropriate policy, such as VLAN, ACL, or role, to the connection.
“Based on the enrollment and the use of the device over time, the XpressConnect ES maintains an association between the certificate, the user, the device, the workflow, usage, and the desired policy, providing rich insight and device-by-device control to the network administrator,” says Koster. Network administrators and help desk staff have easy visibility via the XpressConnect ES into device characteristics, such as WLAN driver and current VLAN assignment, and user characteristics, such as devices registered per user, he adds.
NDSU uses the XpressConnect ES to automate WPA2-Enterprise (802.1X) using EAP-TLS (client certificates) for simplified, Wi-Fi onboarding of a variety of BYOD, laptop and mobile devices coming onto the NDSU network, Koster explains. Users are directed to the customized workflow for staff, students and faculty that directs them through an automated enrollment, configuration, and access process that does not require IT involvement.
The Cloudpath implementation also aids in ensuring the certs for its devices will help in overall risk management plans to keep the data at North Dakota State University safe.
“It begins by keeping passwords off devices and out of the Wi-Fi association attempt,” says Koster (left). “With passwords increasingly being single sign-on credentials for numerous systems, the exposure of stolen credentials extends beyond unauthorized Wi-Fi access.”
With PEAP/MSCHAPv2 and TTLS/PAP, the user credentials are sent to the access point on each association attempt, Koster says. “Combine this with new operating systems that provide click-to-accept or even disabled-by-default server certificate validation, and you create an environment where both the network and the user are at risk based on the quirks of the user and/or device. With client certificates, we are able to reduce the network's risk exposure.”
The use of the certificate for Wi-Fi also reduces the political pressure to reduce the password change and complexity policies, Koster says. “Too many environments have reduced their password change policies in an attempt to make PEAP/MSCHAPv2 and TTLS/PAP more stable. By decoupling from the password, we are able to provide the desired usability without weakening security.”
Further, beyond eliminating the password, XpressConnect ES ensures each device is correctly configured, Koster says. “The most dangerous device is one that ‘works,' but does not correctly enforce server certificate validation, either through misconfiguration or the user too willingly clicking Accept. XpressConnect ES ensures that server certificate validation is correctly and consistently applied without user involvement.”
XpressConnect ES is completely WLAN neutral, says Koster, so it works consistently no matter the WLAN infrastructure. And, everything that it does on Wi-Fi also applies to wired 802.1X. And it doesn't stop at the network configuration. XpressConnect ES also supports NAC compliance checks with auto-remediation, pin lock enforcement, jail broken state, web proxy configuration, ActiveSync configuration, software installs, and more. It also contains Advanced Issue Resolution (AIR) technology to resolve many invisible issues that routinely prevent connectivity. Finally, it does this across a wider array of devices than any other solution, Koster says.
Updates are pushed in a two-tier model. For device-related updates, which require more frequent updates due to new OSes, the updates are synced from the cloud to the local server. Administrators are notified of updates via email and also through the ES Administrator UI when new updates are available. The administrator simply clicks a button to activate the new update. The update simply affects the bits used to configure end-user devices. Cloudpath encourages customers to accept these updates on a regular basis to ensure new OSes are supported.
System updates, which occur less frequently, are handled in a similar format but are offered separately from the device-related updates. System updates are also applied via a button in the administrator UI. System updates include updates for all internal components of the VM, including the operating system.
Deployment went smoothly
The deployment went relatively smoothly, he adds. Final configuration of the system didn't happen until just before start of the fall 2013 semester, giving his team little time to find any remaining problems. “The VM deployed to our VMware infrastructure cleanly. It was easy to connect to our ADs. It even included the ability to remove the @ndsu.edu that users may have put in through muscle memory, but would have caused authentication to fail. The workflow operated as expected.”
Where his team ran into the most trouble was surrounding the setup service set identifier (SSID). That had previously been locked down very strictly. This caused problems the first day of mass setup. “It was known previous to the first day that we'd have to open up Google Play and Amazon App stores so that Android could get its client,” says Frovarp. “We also had to adjust the network settings for apple.com to support some quirks on Apple devices. The big one that caught us off guard was that Windows was validating our root cert in real time, and we didn't have that open on the setup SSID. All of our previous testing had been with devices that had been to one of sites, and thus already trusted the commercial root CA we use.”
But, once those problems with that SSID were fixed, everything proceeded much more quickly and without the problems he initially saw. “We are pleased with the deployment,” he says. “It continues to meet our needs, with very little time commitment on our side.
As well, it is easy to manage and operate. “Since deploying, very little time has been put into doing anything with it at all,” he says. “About the only action that needs to be taken is to periodically redeploy with a new Wizard when Cloudpath releases an update. That requires logging in and clicking a button.
A slight bump was met when an upgrade was attempted. “We reverted to the snapshot, and we are still running an older version,” says Frovarp. A major upgrade was released a while ago, and it is NDSU's intention to move to that before fall 2014. “That upgrade should address a few of the remaining items we would like to see.”
In addition, the implementation is aiding in compliance requirements. “We needed to be able to identify who and what we're accessing using the NDSU wireless network,” says Theresa Semmens, chief IT security officer at NDSU. “It gave us the needed structure to verify compliance with state and federal regulations and institutional policy and procedure.”
The Cloudpath solution affects the entire university – faculty, staff, and students, says Wallman, who is responsible for overseeing the IT division, working with centralized and departmental information technology, and assisting university administration with technology issues.
The Enrollment System is a very capable and flexible system, adds Frovarp. “We aren't currently using many of the features it offers. However, at this point in time, it fulfills most of our needs. The few areas of improvement would be the ability to login with AD credentials instead of local credentials for admins, which he acknowledges was fixed in the upgrade; the option to grant help desk staff the ability to see the complete logs for a user; and the ability to allow users to download a certificate for a system that the Wizard doesn't support at this time. “This would allow us to discontinue the previous systems. It is something that is in the works and may be present in the latest major release.”
NDSU's security priorities fluctuate with current and new evolving technologies and services and the requirements for data protection that come with those technologies and services, says Semmens, who is responsible for overseeing and coordinating processes to build a university-wide information security strategy and vision, which includes security policies, procedures, risk management and assessment, and the coordination of efforts across the university. “We are continually mindful of our responsibility to protect information that traverses our wireless network and is stored on our campus servers,” she says. “Additionally, we need to meet customer expectations that are required of a research institution, and we must do so in a manner that is not inhibitive of how faculty want to conduct their research. Those expectations and needs are balanced with security standards and practices required for that technology and service.”
Because of its large data repositories, inherently fast networks, and its open nature, NDSU is susceptible to threats, admits Semmens. “As far as new threats, we are no different than any large corporation which would have vast amounts of information that can be compromised and misused.
A version of this article appeared originally in SC Magazine's Spotlight on Education (June 2014).