Skip to main content
IT Service Status
IT Service Status

IT Project: Campus Data Network Authentication Deployment

Project Status

July 2024: Northwestern IT is beginning a project to update campus network authentication methods over the next 18 months as part of ongoing University-wide efforts to improve our information security posture.  This project implements a new authentication method for the eduroam wireless network and will deploy the technology and infrastructure needed to enable authentication on wired network ports throughout campus. Enabling network authentication will create the ability to later establish role-based access control (RBAC) for users and devices signing into the network, determined by individual user's group membership and device posture/characteristics.

Background

As Northwestern faces new security threats and additional compliance/regulatory requirements concerning information security, applying role-based network access control (RBAC) to the wired and wireless networks is critical for meeting our obligations and securing our community, data, and research. There is additional urgency to begin implementing foundational elements for role-based network access control, as our current network authentication method for the wireless network will become more challenging for our users to manage in the fall of 2024, and new research security requirements are arriving in the summer of 2025. To best secure network access at Northwestern and maximize our future ability to enable RBAC at the network level, Northwestern IT will implement a vendor-supported EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) device certificate-based authentication solution. Many higher education peers have already deployed or plan to deploy the same technology.

Benefits to the Northwestern Community

Implementing wired network authentication and standardizing the security protocol for wired and wireless access will increase the University's security posture and meet internally identified standards set by the Information Security Office (ISO). A uniform onboarding process for both managed and personal devices will also reduce troubleshooting and support efforts.

Goals and Objectives

  • Improve the campus network's overall security posture by enabling Network Authentication on wired ports.
  • Standardize EAP-TLS as the security protocol for both wired and wireless network authentication.
  • Deploy a vendor-managed Public Key Infrastructure (PKI) service for device certificate management.

Approach

The project will be delivered over an 18-month period. During the initial phase, the project team will:
  • Test and document steps needed for connecting using EAP-TLS on both wired and wireless networks.
  • Determine how certificates will be issued for both managed and non-managed devices and shared and personal devices.
  • Configure the infrastructure and provide documentation to support devices that do not support EAP-TLS.

  • Document the support requirements and process for schools and units to transition devices to the new authentication method.


Project Timeline

Project Timeline
Date Description Status
Spring 2024
  • Build EAP-TLS authentication environment
 In-Progress

Summer 2024
  • Begin testing/documenting EAP-TLS authentication
  • Begin planning wired authentication rollout
 In-Progress
Fall 2024
  • Begin public communication
  • Enable EAP-TLS to run in parallel with EAP-PEAP on eduroam
 Not Started
January 2025
  • Begin targeted deployments of wired network authentication
 Not Started
Fall 2025
  • Disable EAP-PEAP on eduroam
 Not Started