Deploying Secure Guest Access at the University of San Diego
At the University of San Diego (USD), while students and faculty look forward to summertime, the USD Wireless Team is working without any real breaks. The USD Wireless Team knows that summer brings more than 12,000 visitors on campus for events, sports camps, and conferences. Each year the Team is faced with a number of challenges in supporting these visitors, including providing secure wireless internet access across a campus that spans 180 acres.
The University offers a wireless network for approximately 18,000 registered users with USD credentials, which also allows them access to the internet and various resources such as internet and VPN access on the campus network. There was also a guest network that anyone could access by entering an e-mail address with minimal security.
With this in mind, the USD Wireless Team began searching for a solution that would allow users to easily create temporary log-in accounts for its guest network. The bigger goal was to protect the guest network from anyone connecting anonymously, where there was no way to confirm their identity. They discovered that half of the users on the guest wireless network were actually students who should have been using the separate student network. The USD Wireless Team realized it needed an authentication solution that captured log-in data to track attributes such as a user's role and connection information.
Leading up to the summer of 2009, the USD Wireless Team had evaluated a number of different products to address these issues. The crucial aspect of this project initially was to identify the requirements for the University's secure wireless access system, and none of the products evaluated met the majority of their requirements.
Besides visitor bulk account and self-registration options, these requirements also included:
- Compatibility with the University's current Aruba wireless network
- Out-of-band management
- Credit card and promotional code network usage options
- Integration with its CASHNet credit card payment system
- Full redundancy/failover
- Ability to host its guest captive portal
- Built-in RADIUS
- Reporting for each user.
Since the USD Wireless Team is a three-person IT team, a solution that was easy to use and required low maintenance was also a key factor in its search.
In late April 2009, the group still faced this challenge, and its goal was to have an operational system deployed by June 1. At the end of April, the Team learned about the Avenda Systems eTIPS 5000 Series identity-aware policy platform, and quickly performed several tests.
The eTIPS solution consists of a hardened network appliance, a flexible policy platform, and a built-in guest access application. It centrally manages policies for multi-vendor equipment across all access methods and supports major operating systems, managed and unmanaged endpoints, and existing identity stores. After thorough testing, the USD Wireless Team concluded that eTIPS met more requirements than the other products. They worked very closely with Avenda to customize and build a self-registration tool that was web based for users to create their own accounts and pay for the access they needed.
With Avenda, they could offer self-provisioning so users could set up their own accounts without IT support. The accounts were available to use instantaneously with no lag time for IT to support. These accounts could be self-provisioned on a 24/7 basis. This feature removed the Team from the log-in creation and support issues for the more than 12,000 summer visitors attending camps and conferences.
The ability to quickly deploy and integrate the Avenda platform into its existing infrastructure, including Aruba's wireless LAN and its CashNET campus credit card payment system, made choosing eTIPS easy. The USD Wireless Team also saw that eTIPS included features would let them expand their network access security plans across the entire campus. eTIPS was a good choice for USD because of its ease of use all around. Its intuitive web-based user interface with 3-Click help-desk navigation, policy reporting, and easy account controls made securing guest access a smooth operation for the IT Department. For users, the self-registration application meant they were able to access their guest access privileges quickly as their on-campus summer sessions began.
With eTIPS in place, USD's secure guest access system was up and running in time for the summer rush. As campus guests arrived and requested network access, they were pointed to a self-registration portal where they entered log-in credentials of their choice. Depending on their type of activity, they were asked to enter a promotional code or credit card data for payment. The University charges $5 for a day of access, $15 for a week, and $30 for a month.
Users tell the USD Wireless Team they are happy to be able to register themselves, saving them and the IT staff a large amount of time. The Avenda system also supports 802.1X authentication, so the University can extend the benefits of the eTIPS platform to internal networks for better security and an improved user experience.
Looking at the time the USD Wireless Team saved from not manually setting up guest user accounts over the summer, the Team estimates saving approximately 600 hours in staff time each year. The University has also improved network security and the visibility of traffic pattern usage, and can now respond more quickly to any user issues that come up. The Team is currently preparing to test using the eTIPS system as its main network authentication source for all network access. This is going to help the University replace a legacy system and consolidate management concerns.
In addition, with so many wireless users over the summer, the guests acted like a live test bed for the wireless network before students arrived in September. USD's guest users became more vocal about issues since they were now paying for the service. The University has very good coverage across our campus, but users found a few coverage holes in the wireless network which the Team resolved. It was important to obtain that feedback because the USD Wireless Team is in the business of continuous improvement, and was able quickly resolve any issues brought to our attention.
Looking ahead, the University plans on integrating Avenda into its Cisco switched network for student and staff authentication, and eventually extend guest access to its wired network. They are also expanding their secure guest access network support of end user devices, such as smart phones and gaming systems, which are becoming increasingly popular on campus.
Lois Acker is a network systems architect and Charles A. Koehler is a network administrator at the University of San Diego (Calif.).