Overview
A guest, eduroam peer, or active University Identity can authenticate on the Unified Edge Network. Today there are six standard user groups. Each group aligns to a specific security level on the Unified Edge Network:
- Untrusted (Level 1) – Guests, Conference Attendees, & Eduroam Peers
- Low Risk (Level 2) – Active University Identities
- Medium Risk (Level 3) – Active University Employee & Affiliate Identities
- High Risk (Level 4) – Limited University Identities
- Research (Level 5) – Approved University Identities
- Production Exception (Level 6) – Approved University Identities
- IT Infrastructure (Level 10) – Approved University IT Employee Identities
User authentication for the Unified Edge Network stems from NU-ITS Active Directory groups, managed by Grouper, or the Aruba ClearPass Guest database. Only real University Identities
provide security level elevation; service accounts are not supported. Guests, Eduroam peers, and other shared accounts will default to Untrusted (Level 1). This process ensures that only University Identities gain access to secure University resources with all other users receiving basic Internet access.
NU-ITS supports 802.1x authentication for standard endpoint Operating Systems including macOS, Windows, Linux, iOS, and Android. Essential onboarding guides and Network Configuration Utilities for these operating systems are available at the Network Onboarding website.
Access Policies
Users on the University network can access the resources they are entitled to consistently on wireless and wired connections without a VPN. The authenticated user (802.1x User Authentication) and their device's security posture (MAC Authentication) dynamically determine network access, not their IP address or physical location. Using both 802.1x User Authentication and MAC Authentication data, appropriate access policies are applied to separates devices into different levels by data risk, aligning with Executive Memorandum No. 42 Policy on Risk Classification and Minimum Security Standards.
Remote Access with Microsoft RDP
Remote access with Microsoft RDP does not provide the 802.1x supplicant with the information required to elevate Windows network access level at login. In situations where a user needs to use RDP to access Internal or Confidential services, a Network Authentication Request may be needed. Other connection methods such as BeyondTrust Remote Support or VNC do not require an exception because the user logs in to their local account after the initial connection, allowing the 802.1x supplicant to authenticate.
ITS recommended these configuration options to support RDP access:
- Enroll in SCCM for essential Endpoint Management Services
- Enroll in an ITS campus Active Directory
- Authenticate user sessions with an Active Directory Identity