Network Access Control

Our IT team has been meeting regularly to determine new infrastructure projects for the year. The list includes network access control and wireless access controller systems. Our discussions reveal a common theme: how many of the components of an enterprise computer network should we acquire and maintain, considering their benefits and costs?

Network access control is currently up for consideration. Three years ago, we installed our first network access control system to bring the following benefits to our school.

Limit the campus network to known computers and users
If computers not known to the IT department get on the LAN, they may be infected with viruses or running a spambot or other malicious software. Network access control software ensures that only computers that IT manages can get on the network. They do this through different methods, including client login and MAC address filter.

Offer guests an open wireless network for Internet access
If we limit the campus LAN to known users, then we should provide an open network for parents, vendors, guests, and users’ personal wireless devices so that they may still get online. The guest network presents a welcome page (captive portal) to the user that includes terms and conditions. The guest network only provides Internet access, protecting the school’s file server, print server, and other network resources. Guests may still access the school’s websites.

Track network activity by user
Increasingly, division heads have asked us to identify one student who has bulled another student through the campus network. If users are required to log in to access the campus network, then it becomes easier to trace network activity to a specific user. We have also implemented DHCP reservations so that the IP address on record is a reliable indicator of what computer was used for each network activity. This works well for a computer with only one user and less well in shared facilities. Since client login lasts an entire day (to avoid bugging users with multiple daily login requests), users of shared computers are not required to logi in often enough to positively identify each user.

Check computers for minimum system requirements
Even computers that we manage may become infected or compromised over the course of the year. We would ideally like to keep such computers off the network in order to protect the school’s systems and to stop an infected computer from spamming the world. One method is to block computers that do not meet minimum system requirements and then provide the user with links to the necessary software updates.

Current status
We currently run a Cisco Clean Access system to provide network access control and a public wireless network. We also gained the ability to track network activity by user, except for shared computer carts and labs. Despite lots of consultant help, we had great difficulty setting it up properly to perform these two functions. On account of the effort it took to get this far, we never did implement requirements checking beyond a small test group. Now, we are required to either upgrade to a new server software version (at great expense) or move to a different system.

Requiring users to log into client software to access the wireless network has been pretty intrusive. Ideally, this would be integrated with operating system login, but we hear that this is difficult to configure in our current NAC system with Windows and not possible for our Macs. Our users do not much like the additional login window that pops up, especially when it misbehaves, and they cannot access the wireless network.

Lower-cost options
Could RADIUS meet our needs? It’s a bit more do-it-yourself than buying a NAC product, it probably would not require user login, and it would not check systems for minumum system requirements. However, it would limit the network to known computers, which would take us part of the way toward our goal.

Setting our target appropriately
How much network sophistication can a school like ours afford to purchase and maintain? In a recent survey we conducted, only one of 26 peer schools was running NAC client software to check computers for minimum system requirements. The cost and effort required may not be worth the promise of reduced workstation maintenance and a safer network. We may have discovered that enterprise-level network access control is really

We will continue our investigation of different combinations of systems that could meet our needs and stay within budget.

Comments are closed.