Wireless Networking | Feature

NAC Magic at Keystone College

The right combination of wireless network hardware and network access control software has freed the IT crew at this small college to focus on user demands other than access problems.

Sometimes a technology upgrade reveals an unexpected jewel among the riches already anticipated. That happened for Keystone College when it began upgrading its wireless network in time for the start of the fall semester. The La Plume, PA institution knew it would retain technology already in use for network access control (NAC). What it didn't know was that the latest release of that software would do such amazing things in cahoots with the new access points being deployed.

Begun in residence halls and one other location on campus, the implementation upgraded the network from 802.11b to 802.11a/b/g/n using gear from Aruba, including a 3600 controller and AP-105 access points. The NAC, which controls whether users can gain access to the network through the wireless infrastructure, was Safe Connect from Impulse Point.

NAC Control Everywhere
The magic, according to Charles Prothero, CIO for the 1,700 student college, happens when his IT staff plugs in an access point anywhere on the network that now runs version 5.0 of Safe Connect. That access point tunnels back through to the Aruba controller and forces any user picking up that wireless signal to comply with whatever policies the college has set up for network access as defined in Safe Connect.

That includes offsite users too. "I could mail an Aruba access point to you, you could plug it in, and you'd have a Keystone College network in your office," said Prothero. "Your computer would be subject to the same Safe Connect enforcement I have here on campus. You'd have to use a college password and load up a policy key as if you were in a residence hall." If the user's computer doesn't comply with the policy--such as having an out of date anti-virus signature on the machine--the network would block the user.

Keystone has been using the NAC application from Impulse since 2009. The initial installation came about when it had to make a decision about whether or not to upgrade the NAC it had been using, Cisco Clean Access. The software version of Clean Access had come to the end of life, and the vendor was pushing its appliance-based product. Looking to save some money and obtain better functionality, Prothero checked in with peers at other institutions. "We got some really recommendations for Safe Connect, so we decided to dig deeper into that," he explained.

Safe Connect is delivered as a managed service. The health of the system is monitored from a support center, while the user organization, such as Keystone, uses a policy management console to control endpoint computing policies and enforcement rules.

That vendor control of the NAC doesn't worry Prothero. In fact, he said he views it as a product plus. "They do all of the maintenance on the server and even the Layer 3 switch that the server uses to monitor users and manipulate their access--i.e. quarantine or open," he said. "One might worry that such an arrangement cedes too much power to the vendor, but all NAC vendors have power over their customers because the products must be updated with some regularity in order to remain viable. Having them do it all frees us up to focus on other things that our users need."

Even without the Aruba integration, Prothero said he'd rely on the Impulse software. His IT crew found the administration of the new system over the previous application easier. Plus, "Impulse does so much for you. They deliver the thing already configured. There's not much assembly required by the customer. You just set the access policies." He added that any NAC is going to require a week of testing and configuration, no matter what the product or who supplies it.

If Prothero sounds captivated with Safe Connect, he is. The previous wireless implementation used access points that had to be configured individually, acted autonomously, and frequently generated channel conflicts. Using no NAC, he said, would be unthinkable: "You'd have to hire a dozen people to chase down problem computers." So having the integration added to the feature set of the latest release has become that unexpected jewel that keeps him committed to the company and its product.

Getting the Vendor To Do the Heavy Lifting
During the summer, Impulse Point sent a senior product specialist to Keystone to implement a pre-release of version 5.0 of Safe Connect on the school's network. That's the edition that includes the Aruba integration. Why Aruba specifically and not some other hardware vendor? According to Impulse, that decision was based on customer demand for Aruba products in the higher education sector. Plus, its products take an approach to user role assignment that aligns well with Impulse's own technology architecture. Aruba also uses a policy enforcement firewall in its network controllers that allows Impulse to extend its traffic monitoring and policy enforcement functionality.

Besides the Aruba integration, the new release includes a number of other improvements. The program's policy reporting interface has been updated; enhancements have been made to profiling, policy control, and reporting for devices such as smart phones and gaming devices; access can be delegated for guest management sponsorship and emergency notification broadcasting; and Safe Connect includes support for additional Windows and Mac anti-virus products.

The new release, according to Prothero, gives a better breakdown of devices, "for example, nailing down the model of a Sony game to a PlayStation 3 instead of just reporting it as a 'Sony gaming device.'" He added, however, that he's not nearly as familiar with the operations of this NAC as he was with the Cisco one. "I spent a lot of time in it because I had to," he said. "It would deny someone access because some half-installed update got 'stuck' on their PC, and investigation in the admin console was the only way to find out why the user was having a problem. Safe Connect doesn't do that, so I rarely need to go into the console. I do it more out of curiosity to see how many devices are on the network and the breakdown by device type and operating system."

Prothero added: "NAC with policy assessment is essential for any academic network where students, employees, and visitors regularly bring in machines that are not under institutional management."

The college is only about halfway through its implementation of the new network. It'll finish the work of the upgrade during the summer of 2011.

comments powered by Disqus