1. Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO

2. Authentication in Academia ● Students are neither public nor employees ● Faculty have difficult to define access needs ● General use wireless internet ● High volume non-public facility access ● Remote access is becoming critical ● Large user base relative to budget

3. AUCA – Legacy Approach ● Building access: basic photo ID ● Library access: independent barcode ID ● Finance: separate ID number ● LAN: classroom and lab PCs with Active Directory ● Wireless: open WiFi with proxied web only ● Email: separate user/password ● Purchases: cash, no student banking services

4. AUCA-ng (next generation) ● Unified database under SAP ● User data synced into Active Directory ● Universal ID card with RFID, Bank Account, VISA/MasterCard, and photo ● Two authentication paths ● User/Password: Active Directory (LDAP, RADIUS) ● RFID ID Card: RFID system linked to SAP and AD ● Network access using 802.1X ● Full remote access with SSL VPN

6. Universal ID Card ● One photo ID for all ID card roles ● Linked bank account ● Debit card with VISA/MasterCard ● Used for campus purchases ● RFID capability ● Building access – with security personnel ● Room access – without personnel ● Library ● Prepaid RFID card for long term guests

7. SAP Unified Database ● Combines previous separate DBs ● Finance, Registrar, Library, HR, Property ● All user data stored here ● Includes RFID code, Class registrations, Grades, Fees owed ● Updates pushed to AD ● AD handles password authentication ● SAP Web Portal provides student services ● Campus transactions sent to SAP by bank ● Clustered servers for redundancy

8. SAP-Driven Authorization ● Builds dynamic groups in AD ● Class groups ● Department groups ● Role groups – students, seniors, grad students, faculty, staff, etc ● Granular access to services ● Lab access to those in the department ● After hour lab access to faculty, seniors ● Virtual Classroom / LMS access to class group ● Special application access through Citrix XenApp

9. Active Directory ● Provides User / Password authentication ● Content updated via SAP synchronization ● Except for passwords ● User sync and auth via LDAP ● Adobe Connect, Email, XenDesktop ● Authentication via RADIUS ● Device management, SSL VPN, Moodle, 802.1X, SAP ● Well established redundancy

10. Wireless Access with 802.1X ● WPA2 Enterprise provides best security ● 802.1X with dynamic VLANs gives granular access control ● Guest VLAN ● Guest SSID ● Secure SSID failure ● Proxied web access only ● Client app to configure 802.1X on devices ● Seamless hand-off between Access Points

11. Network Access Control ● Dynamic VLANs based on AD groups ● Standard ACLs for access control ● Only IT allowed to access device management ● Limited access to user devices ● Time-based ACLs ● On-demand web restrictions during class time ● Granular Quality of Service (QoS) ● Guaranteed bandwidth for administration, faculty, classes ● Limited bandwidth for guests

12. Business Case: Features ● One user database and centralized management simplifies support ● Campus merchant fees universally enforced ● Complete user analytics ● Financial ● Security ● IT resource use ● Education resource use

13. Business Case: Universal ID Costs/RevenueCurrentPlanned Card Issuing costs-$560.00$0.00 Start-up project cost$0.00-$53,000.00 Revenue to AUCA from partnering bank$0.00$250,000.00 Revenue from vendor transactions on campus$0.00$60,000.00 Total initial revenue/costs-$560.00$257,000.00 Total Annual Revenue/Costs-$560.00$310,000.00

14. Questions?