Network Access Control - eNAC
Computers and networks have changed from stand-alone devices to vaults of information. The information stored on these computers and network can be valuable to not only the owners, but others with less than noble intentions. If your computer holds bank accounts, credit cards, account numbers, people can use that information for their own gain. Or your computer can be compromised and used as a distributed resource for attacking other networks.
Clayton State wants to make sure that the student information and other data we store on our servers is safe and secure. We use a Network Access Control solution, named eNAC.
Network Access Control
The Enterasys Network Access Control solution (eNAC) has been implemented to provide the University with several benefits. To keep the servers safe, we set the network up with the mindset of least-privilege required. By default the network ports do not allow access to anything.
The NAC allows you to register your machine to your userid. Now when your machine comes online anywhere on the network, you are automatically given access to the resources you need. When you disconnect, the network goes back to the default state waiting for the next person to connect.
In addition to the device registration, the eNAC solution also has an agent which runs on the end-user machine. This agent allows a deeper inspection of the device to see security settings which may not be view-able remotely. The agent can verify firewall settings, the existence of anti-virus software, how recent a machine has performed security and operating system updates. The agent reports back to the network the status of the device, which speeds up access because the network does not have to perform a slower scan of the device.
If a machine is determined to be out of compliance, then the user's web browser will be redirected to pages within the eNAC solution to allow them to self-remediate the issue. Once the issues are resolved, they will be provided network access.
The eNAC solution does not allow us to peer deep inside your computer, grab files, view browsing history or otherwise gather personal information. Only very specific checks are made such as:
- Operating System Version
- Antivirus installed
- Operating System Firewall
- If Peer-to-Peer software (EMule, Limewire,etc) are present
- Indications of the TorPig virus are present
The software may only check for registry keys, the existence of a file, and whether a certain process (program) or service is running. It is not able to open a file or upload files.
Registration and Configuration
To associate a new device with your userid, you just need to bring it online and launch a web browser. Any unregistered device will be redirected to the registration system. By following the instructions on the screen, you will be guided through the registration process. Windows and OSX based machines will be required to install the eNAC Persistent Agent to access the network. If you are not redirected automatically, you can visit https://csunac1.clayton.edu
If the device you need to register does not have a web browser or is a pain to enter data with (particularly game consoles), you can also login to the system and perform the registration manually. You will need to know the MAC address of the device you are registering. This may be called by other names, such as device ID, network address, or network card address. This is a unique identifier for the Ethernet or wireless network card on your device. It will be made up of numbers and letters A-F. There will be 6 sets of two characters, usually separated by a colon : or dash -. Sometimes they are separated by spaces or run all together. It varies by manufacturer. Examples are:
Self registration of new devices, or removal of old devices can be found at https://csunac1.clayton.edu/self_registration
Server IP Address
By default the install program for the persistent agent should know this, however If you are asked for this when installing or using the agent, use 172.25.1.160
Each connection type (wired and wireless) may need to be registered. The persistent agent tries to automatically register all connections for you when installed, however hardware being disabled for power saving and other configuration choices may not allow it to do so.
If you are inactive for more than 90 days, you will need to re-register your device.
Being redirected to the Welcome to the Network page
When Windows ans OSX start, there are a lot of software and drivers which get loaded, and this can take a little bit. This is why the system may seem to be sluggish right after logging in or a reboot. If your device tries to go out to the Internet before the persistent agent has had a chance to start and talk to the server, then you may be redirected to the start page of the NAC system. Clicking to continue will allow the system to recognize you and redirect you as needed.