Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO

Authentication in Academia ● Students are neither public nor employees ● Faculty have difficult to define access needs ● General use wireless internet ● High volume non-public facility access ● Remote access is becoming critical ● Large user base relative to budget

AUCA – Legacy Approach ● Building access: basic photo ID ● Library access: independent barcode ID ● Finance: separate ID number ● LAN: classroom and lab PCs with Active Directory ● Wireless: open WiFi with proxied web only ● separate user/password ● Purchases: cash, no student banking services

AUCA-ng (next generation) ● Unified database under SAP ● User data synced into Active Directory ● Universal ID card with RFID, Bank Account, VISA/MasterCard, and photo ● Two authentication paths ● User/Password: Active Directory (LDAP, RADIUS) ● RFID ID Card: RFID system linked to SAP and AD ● Network access using 802.1X ● Full remote access with SSL VPN

Universal ID Card ● One photo ID for all ID card roles ● Linked bank account ● Debit card with VISA/MasterCard ● Used for campus purchases ● RFID capability ● Building access – with security personnel ● Room access – without personnel ● Library ● Prepaid RFID card for long term guests

SAP Unified Database ● Combines previous separate DBs ● Finance, Registrar, Library, HR, Property ● All user data stored here ● Includes RFID code, Class registrations, Grades, Fees owed ● Updates pushed to AD ● AD handles password authentication ● SAP Web Portal provides student services ● Campus transactions sent to SAP by bank ● Clustered servers for redundancy

SAP-Driven Authorization ● Builds dynamic groups in AD ● Class groups ● Department groups ● Role groups – students, seniors, grad students, faculty, staff, etc ● Granular access to services ● Lab access to those in the department ● After hour lab access to faculty, seniors ● Virtual Classroom / LMS access to class group ● Special application access through Citrix XenApp

Active Directory ● Provides User / Password authentication ● Content updated via SAP synchronization ● Except for passwords ● User sync and auth via LDAP ● Adobe Connect, , XenDesktop ● Authentication via RADIUS ● Device management, SSL VPN, Moodle, 802.1X, SAP ● Well established redundancy

Wireless Access with 802.1X ● WPA2 Enterprise provides best security ● 802.1X with dynamic VLANs gives granular access control ● Guest VLAN ● Guest SSID ● Secure SSID failure ● Proxied web access only ● Client app to configure 802.1X on devices ● Seamless hand-off between Access Points

Network Access Control ● Dynamic VLANs based on AD groups ● Standard ACLs for access control ● Only IT allowed to access device management ● Limited access to user devices ● Time-based ACLs ● On-demand web restrictions during class time ● Granular Quality of Service (QoS) ● Guaranteed bandwidth for administration, faculty, classes ● Limited bandwidth for guests

Business Case: Features ● One user database and centralized management simplifies support ● Campus merchant fees universally enforced ● Complete user analytics ● Financial ● Security ● IT resource use ● Education resource use

Business Case: Universal ID Costs/RevenueCurrentPlanned Card Issuing costs-$560.00$0.00 Start-up project cost$0.00-$53, Revenue to AUCA from partnering bank$0.00$250, Revenue from vendor transactions on campus$0.00$60, Total initial revenue/costs-$560.00$257, Total Annual Revenue/Costs-$560.00$310,000.00

Questions?