When network users expect connectivity for devices ranging from personal laptops and mobile phones to gaming systems and smart refrigerators, network administrators require a solid solution for matching each device to the appropriate user, and for confirming that the device meets organizational requirements for secure connectivity. The experience of a midsize Pennsylvania college demonstrates the value of network access control (NAC) technologies in performing both of these functions.
Gettysburg College is a liberal arts school in a location imbued with historical significance. Its 225-acre campus is adjacent to the Gettysburg National Military Park, site of the famous Civil War battlefield. Many buildings on campus are historically relevant as well, but Gettysburg College is not stuck in the past. Far from it.
The school was an early adopter of wireless networking. Two decades ago, it offered wireless bring-your-own-device (BYOD) access as a selling point to attract students. Today, campus-wide Wi-Fi is less effective as a differentiator. Still, Gettysburg College strives to provide an end-user experience that stands out from the crowd.
Managing a BYOD Wireless Network in a Tourist Town
The college’s IT team works to ensure that students, faculty, staff, and parents can securely connect appropriate devices; that individuals who should not be on the network do not gain access; and that all these processes are as automated as possible.
“Gettysburg, Pennsylvania, sees tens of thousands of visitors every year,” explains the school’s Vice President of IT, Rodney Tosten. “Our campus interweaves with downtown Gettysburg, and some major roads even cross the campus. Every device in a car passing through tries to connect into our network.”
Moreover, he says, people used to park in the college’s parking lots to access the internet via its wireless network. “That raised concerns about network security,” Tosten says. “It also had implications for campus safety. We worried that free internet might be attracting people who were not necessarily healthy to have hanging around our campus.”
Finally, IT staff worried about bandwidth. “Being in a tourist town, we knew that having a wide-open network could eventually mean so many people connecting that our internet throughput would fall to pieces for the students, faculty, and staff who needed it,” Tosten says.
Leveraging FortiNAC to Implement Access Policies That Are Both Effective and Efficient
Gettysburg College has long understood these challenges. Eighteen years ago, it deployed the FortiNAC* solution. Thanks to this software, any attempt to connect a computer, tablet, or smartphone to the school’s Wi-Fi network brings up a registration page. Users who have network login credentials enter them on the registration page. The FortiNAC system confirms their identity and scans each endpoint to verify that its operating system and security software are up to date. “We will not grant people access unless the FortiNAC solution verifies that their system is updated and has antivirus protection,” Tosten says. “That ensures only secure devices connect to our network.”
Parents and visiting faculty can connect, but their access is time-limited. The FortiNAC solution maintains an inventory of their accounts. Individuals whose allocated time window has expired will no longer be allowed access. The solution also automatically removes access permissions for any device that has not connected to the network for a period of time.
“Our Wi-Fi network has more than 1,000 access points,” Tosten says. “We have 55,000 devices attempting to connect on an average day, and only about 6,500 of them should actually get in. That is a lot to manage, and two staff members are responsible for all related connectivity issues. The automation in the Fortinet solution, its scanning of devices attempting to enter the network, and its ongoing management of network inventory make it possible for such a small staff to manage our Wi-Fi.”
Allowing Only the Right Things on the Internet with FortiNAC
When students want to connect an Internet of Things (IoT) device, they must complete a manual request. The IT group routinely tests such devices to discover which work well on the network and which do not. They feed this information into the FortiNAC system.
“We test smart speakers, gaming consoles, and all the other gizmos we expect people to try to connect,” Tosten reports. “We want to make sure the devices we allow in will not consume all our bandwidth or overload our access points. If someone tries to connect a device that we do not allow, FortiNAC does not give it access.”
This approach further improves staff productivity. “It lets us have a conversation up front, rather than bogging down our helpdesk staff trying to support devices that are not going to work,” he adds. “Without a product like FortiNAC, we would not know which devices would have challenges, and figuring out connectivity problems for each individual device would be a much longer conversation.”
Acknowledging the significant improvements in staff efficiency, Tosten emphasizes that the primary benefits of the NAC system accrue to end users. “We have been using the FortiNAC solution for 18 years,” he reiterates. “Throughout that time, it has provided great security for our campus network. Without this product, Wi-Fi access would be like the Wild West. Instead, the FortiNAC system helps us make sure that everyone who is supposed to be on our Wi-Fi can connect, with healthy devices and adequate bandwidth, so that all our end users have a quality experience.”
* In 2018, Fortinet acquired Bradford Networks and their NAC solution which was rebranded as FortiNAC.