Network Access Control (NAC) Guide

Network Access Control (NAC) is a security tool that controls how computers connect to a network. SF State protects wired network ports in public areas with NAC.

 

 

If you have other NAC related questions, please submit a service request.


What is NAC?

Network Access Control, commonly referred to by the acronym NAC, is a security tool that controls how computers connect to a network. SF State uses NAC to authenticate all devices that connect to the campus wired network in public spaces. Please see the list of affected ports (PDF) for the full scope.

SF State uses a product called ClearPass OnGuard (with a secureW2 installer) to implement NAC. The SecureW2 installer auto-configures your computer's network settings and OnGuard provides the interface for logging on to the network. When connecting to the campus wired network in a public area, users need to agree to abide by the CSU's Responsible Use Directive and provide active SF State credentials (e.g., SF State ID and password).

Why has SF State Implemented NAC?

During the 2015-16 campus information security audit, the unauthenticated use of the wired campus network was determined to be non-compliant with existing CSU policy. To be compliant, the campus is required to secure access to the wired network. The August 31, 2016 NAC implementation, requires devices connecting to the wired network in a public area to authenticate.

Who does NAC affect?

NAC will affect only computers in public spaces. Computers that are plugged into a network jack in a public space will require the user to authenticate.

The implementation of NAC on the wired network will not affect wireless users (who already use NAC), users who connect from off campus, or devices without a logon interface (e.g., printers, laboratory sensors, etc.).

Visitors without SF State credentials can connect to the SFStateGuest wireless network.

How do I prepare for NAC?

To ensure that you will be able to successfully connect to the campus wired network from all locations, you need to install the ClearPass OnGuard agent on your computer. The SecureW2 installer automatically installs ClearPass OnGuard and applies the settings that allow for authentication.

A SecureW2 Installer for Linux is available. However, SF State can only provide limited Linux support.

Note for IT Staff: All devices with static IP addresses should have a registered DNS entry prior to NAC implementation. Unregistered addresses are likely to be re-assigned during NAC rollout.

 


FAQ

What are the NAC exceptions?

Uniprint release stations, laboratories, kiosks and physically secured locations will be excepted.


How will NAC affect laboratories and public computing spaces?

Labs will be excluded from NAC.


How often will I need to authenticate?

ClearPass OnGuard creates a session that will last for 12 hours. Re-authentication should happen automatically if the credentials used remain valid.  


When should I install ClearPass OnGuard?

The installer is currently available for download and install. However, it is recommended that ClearPass OnGuard be installed after testing has been completed. This documentation will be updated at that time.


How do I know if my static IP has a registered DNS entry?

Please review the list of registered DNS entries (PDF). For addresses that are not listed, please use nslookup to verify. If you have further questions, please email service@sfsu.edu.


What areas will be affected by NAC?

Please review the list of affected ports (PDF) - updated 6.29.16.


Will the ports in non-public areas be affected by NAC?

At this time, the implementation of NAC is in public areas only.