Cross Campus Network Upgrade & the Move to 802.1x Authentication ▶
Details
Date: Thu March 10, 2022Time: 11:30
Room: A
In December 2020, the Networks team in IT Services, Maynooth University embarked on a new project to upgrade the majority of the existing campus network infrastructure. The new Aruba CX line was chosen for this purpose, along with a commitment to rolling out 802.1x authentication for managed devices.
The benefits of the upgrade included:
•eLearning streaming tools can be used seamlessly
•802.1xsecurity model could be implemented
•greater bandwidth and throughput with increased reliability.
All buildings were surveyed and a master list was generated to highlight those that required a network upgrade to accommodate eLearning software network requirements. Despite staff members working from home, the network was very much in production, and scheduling with relevant communications for potential outages was critical. As much as possible, teaching and research had to continue uninterrupted. The project took a ‘one building at a time’ approach for configurating and migrating the new network in each building. The primary users in each building were communicated with individually when the network was being upgraded in that location. When the new Aruba CX line was fully operationally, 802.1x could then be rolled out to the corresponding building. We started with one building as a POC and collected users’ feedback to see if the implementation caused any negative user impact.
We then progressed with rolling out 802.1x to the rest of the buildings in scope. Due to the pandemic, IT Services had shifted away from its traditional device management model, as little value was had from domain joined machines being unable to talk to on-premise servers, with the user base working on these devices from home.
As a result, laptops and desktops were being provisioned using Microsoft Autopilot, allowing for ‘zero touch’ deployment, meaning the machines would then have to be managed by Microsoft Endpoint Manager (formerly Intune). This change represented a challenge not only to device management but also to the 802.1x rollout. For authentication, Aruba’s secure Network Access Control software, Clearpass, is used. Azure Active Directory/Endpoint managed machines require certificates to be issued to each machine for authentication to occur, while machines managed by Active Directory/SCCM did not.
However, in the calendar year from June 2020 to June 2021, over 1,000 machines were being managed by Endpoint– a significant proportion of our devices. Implementing a Certificate Authority for the regular issuing of certs represents quite a large overhead in terms of human and technical resources, therefore, a solution in the form of SCEPMan was used. SCEPMan is a fully unattended Certificate Authority using Azure Key Vault for Microsoft Endpoint Manager based certificate deployment. Once set up, the relevant machines are added to a group, and certs issue automatically. As a result, using a single service in Clearpass, it is now possible to allow both cloud and on-prem managed devices to have secure network access. Maynooth University is the first third level institution in Ireland to have implemented this for cloud managed devices, on this scale.