Q1: What is Campus Manager?
Campus Manager is a user-focused, network-based NAC solution
that automates identity management, endpoint compliance, and
usage policy enforcement for educational environments.
Q2: Where does this “fit” into my network?
Anywhere Campus Manager can “see” and communicate
with all of the switches.
Q3: How is Campus Manager different from other NAC products
on the market today?
Campus Manager delivers all three components of network
access control – identity management, endpoint compliance,
and usage policy enforcement – regardless of the kind
of network connection (wired, wireless, or VPN). In addition,
the solution works in multi-vendor and multi-platform environments,
allowing organizations to leverage all past and current infrastructure
investments.
Unlike Campus Manager and its comprehensive feature set,
many of the NAC offerings on the market today are point solutions
that deliver one or two components of network access control.
Q4: How does Campus Manager recognize and manage specific
users and devices?
A: Campus Manager requires all users to register prior
to allowing them access to the network, providing an invaluable
tool for network administration staff. Among other things,
the registration process helps to:
-
Control network access for wired, VPN and wireless users
-
Assist in tracking all users by location, name or address (MAC
or IP)
-
Provide role-based access and levels of service via dynamic
VLAN assignment
Implementing a user registration and authentication policy
across the network ensures each device has appropriate ownership
assigned. Each user is required to register their hardware
before gaining access to the network, which provides an added
level of security and control.
Users are prompted for user identification credentials
via a friendly web browser interface. The user is typically
presented with several screens, which they quickly scroll through.
In addition to being prompted for credentials, many administrators
post acceptable use policy information for the user to review
and accept before completing the registration process.
Q5: How do I know who is online if students don’t
have their own computers, if they are all school-owned?
A: If your system has an LDAP accessible authentication
system in place which requires everyone to log on to a computer
before they begin using it then Campus Manager can receive
traps from that system and use it to track who is on the network.
Q6: What type of information does Campus Manager collect
about users and devices?
A: The system gathers comprehensive data on the machine,
MAC and IP addresses, time-of-day, user identity and location
to make intelligent decisions. By effectively associating the
device with the specific user and location, Campus Manager
makes intelligent decisions to guard the network. Is the user
recognized? What level of access are they allowed? Are they
authorized to access specific services from their location?
Q7: How can I force students to register their computers?
There are two ways. Campus Manager identifies a rogue client
as any MAC address on the system that is not registered to
a name. You can disable all rogue clients, thereby forcing
students to register or never use the network. Secondly, in a VLAN
environment and with our Dynamic VLAN switching tool, Campus
Manager can be configured to switch all unregistered MAC addresses
to a dead end VLAN which the IT director can set up. Schools
using this solution now send rogues to a VLAN that allows them
to only the registration page where they can register with
the system or get off the network.
Q8: How does Campus Manager handle different types of users?
Campus Manager uses both persistent and dissolvable agents
during the registration process and to assess endpoint compliance.
Students, staff and professors, for example, will be required,
as part of compliance, to install the persistent agent on their
devices. Campus visitors would be identified by the system
as “unrecognized users” and will have a dissolvable
agent pushed to their device to establish identity and compliance.
Q9: What type of data does Campus Manager check for endpoint
compliance?
Campus Manager gathers data on anti-virus and anti-spyware
software and versions, operating systems, required applications
(such as firewalls, etc.), and prohibited applications .
Q10 : What methods are used to isolate non-compliant
machines?
Campus Manager can take a number of different isolation
actions, including:
-
VLAN-based isolation provides true network isolation for different
ports on the same switch. Campus Manager can assign one VLAN
to machines that have not yet been authenticated, another to
devices known to be compromised, and another to machines that
are approved for access.
-
IP-based isolation is similar, but assigns devices to different
logical networks. DHCP servers can be used to assign machines
into the different pre-registration, remediation, or public
networks.
-
Role-based isolation makes access decisions based upon
identity and specific roles
A captive portal makes decisions about where to send specific
users and/or devices, determining to which internal or external
networks the host can connect. As the system makes decisions
about where to send specific users and/or devices, no matter
which internal or external network the machine can access,
all users see the same, consistent captive gateway, regardless
of access process.
Q11: Does Campus Manager offer self-remediation for non-compliant
machines?
Yes. If a user’s device is found to be running an
older version of the required anti-virus, for example, they
will be taken to a screen where they are informed of the problem
and prompted to download the latest version. Once that is done,
the system again checks for compliance, and once it returns
a “Success” message, the user is allowed access
to the network.
Q12: Our students move between wired and wireless connections
constantly. Does this mean that they will need to go through
a lengthy authentication process each time they switch?
Campus Manager is connection-independent and ensures a
consistent user experience across connection types (wired to
wireless, for example). A device validated by Campus Manager
for wired access does not have to be re-validated if the interface
it’s connecting through differs from the way it connected
in when it first accessed the network. Campus Manager is intelligent
enough to differentiate between a device and a MAC address
and to correlate device information, when necessary, to prevent
duplicate testing. This process minimizes network authentication
while eliminating the unnecessary step of asking users to be
validated again if they switch their connection interface from
wired to wireless.
|
