Skip to main content
IT Service Status
IT Service Status

IT Project: Campus Data Network Authentication Deployment

Project Status

December 2024: Northwestern IT is preparing to release the onboarding process for personal (non-managed) devices to connect to the eduroam wireless network. Work is continuing with the administrators of endpoint device management systems to enable the automatic provisioning of certificates.

Background

As Northwestern faces new security threats and additional compliance/regulatory requirements concerning information security, applying role-based network access control (RBAC) to the wired and wireless networks is critical for meeting our obligations and securing our community, data, and research. There is additional urgency to begin implementing foundational elements for role-based network access control, as our current network authentication method for the wireless network will become more challenging for our users to manage in the fall of 2024, and new research security requirements are arriving in the summer of 2025. To best secure network access at Northwestern and maximize our future ability to enable RBAC at the network level, Northwestern IT will implement a vendor-supported EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) device certificate-based authentication solution. Many higher education peers have already deployed or plan to deploy the same technology.

Benefits to the Northwestern Community

Implementing wired network authentication and standardizing the security protocol for wired and wireless access will increase the University's security posture and meet internally identified standards set by the Information Security Office (ISO). A uniform onboarding process for both managed and personal devices will also reduce troubleshooting and support efforts.

Goals and Objectives

  • Improve the campus network's overall security posture by enabling Network Authentication on wired ports.
  • Standardize EAP-TLS as the security protocol for both wired and wireless network authentication.
  • Deploy a vendor-managed Public Key Infrastructure (PKI) service for device certificate management.

Approach

The project will be delivered over an 18-month period. During the initial phase, the project team will:
  • Test and document steps needed for connecting using EAP-TLS on both wired and wireless networks.
  • Determine how certificates will be issued for both managed and non-managed devices and shared and personal devices.
  • Configure the infrastructure and provide documentation to support devices that do not support EAP-TLS.

  • Document the support requirements and process for schools and units to transition devices to the new authentication method.


Project Timeline

Project Timeline
Date Description Status
Spring 2024
  • Build EAP-TLS authentication environment
 Complete

Summer 2024
  • Renew EAP-PEAP certificate for one year
  • Begin testing/documenting EAP-TLS authentication
  • Begin planning wired authentication rollout

Complete

In-progress
Fall 2024
  • Begin public communication
  • Enable EAP-TLS to run in parallel with EAP-PEAP on eduroam 
 In-progress
Winter 2025
  • Release BYOD wireless onboarding
  • Continue work with managed environments for PKI integration
 In-progress
Winter/Spring 2025
  • General deployment foe managed wireless devices
  • Begin targeted deployments of wired authentication
 In-progress
Fall 2025
  • Disable EAP-PEAP on eduroam.
 Not Started