Network access control — what it is and why the U is implementing it

UIT is leading a phased project to deploy a cybersecurity solution called network access control (NAC) at the University of Utah and University of Utah Health. NAC implementation at the U has been in development since 2019.

“Network access control is part of a broad security strategy at the university to ensure that our networks, computers, and data center operations are more secure,” said Abraham Kololli, director for UIT Network Services. “We are moving towards identity-based networking.”

Earl Lewis, a senior IT project manager in UIT’s Project Management Office (PMO), described NAC as “a method of improving computer and network security by requiring any device plugged into the network to be properly authorized.” NAC controls access to enterprise resources through authorization and network policy enforcement.

Devices that connect to wired network jacks will use 802.1x, an Electrical and Electronic Engineers‘ certificate-based authentication standard, or MAC authentication bypass (MAB) to identify themselves on the network.

“These are technical terms for requiring a device to be properly identified before connecting to the network,” Lewis said. 

When NAC is implemented at a building on campus, Lewis said any wired device connected to a university network must be authorized to gain access to network resources. NAC protections will apply to campus and hospital networks.

What will NAC look like? Lewis explained that devices that are centrally managed by UIT, or a  department’s IT team, will be configured ahead of time so that an end user connecting to a university network shouldn’t notice any change.  

“Some users will need to onboard their devices through a process similar to what we use for the campus UConnect wireless network,” Lewis said. “They will visit either the site prior to NAC being activated and prepare their devices ahead of time or they may be prompted to visit a website to onboard their devices.”

UIT is pilot testing NAC implementation with a small number of campus entities, Lewis said. A primary test lab is up and running at the U’s Downtown Data Center that serves as a model configuration for a production environment. NAC pilot testing has also been completed in West Village housing, is in progress in the Office of Undergraduate Studies, and will soon include the S.J. Quinney College of Law.

“Once we are confident that we know how NAC functions for the variety of cases we have across the campus, we will start to deploy it more broadly,” Lewis said.

Added Kololli, “Network access control is very impactful, so we’d like to learn as much as possible in a lab environment and pilot use cases.”

A university-wide deployment is scheduled to take place on a rolling basis tentatively scheduled to begin in spring and summer 2024. Lewis said preparations for NAC have included updating the operating systems on more than 1,000 network switches and building out the management infrastructure. Procedural documentation for various use cases is also in the works. This documentation is intended to help local IT staff and end users onboard devices to NAC.

 

Node 4 Search