unified student-centric authentication and authorization nathan wilder special assistant -...
TRANSCRIPT
![Page 1: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/1.jpg)
Unified Student-CentricUnified Student-CentricAuthentication and AuthorizationAuthentication and Authorization
Nathan WilderNathan WilderSpecial Assistant - TechnologySpecial Assistant - Technology
Office of the CIOOffice of the CIO
![Page 2: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/2.jpg)
Authentication in Academia
● Students are neither public nor employees● Faculty have difficult to define access needs● General use wireless internet● High volume non-public facility access● Remote access is becoming critical● Large user base relative to budget
![Page 3: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/3.jpg)
AUCA – Legacy Approach
● Building access: basic photo ID● Library access: independent barcode ID● Finance: separate ID number● LAN: classroom and lab PCs with Active
Directory● Wireless: open WiFi with proxied web only● Email: separate user/password● Purchases: cash, no student banking services
![Page 4: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/4.jpg)
AUCA-ng (next generation)
● Unified database under SAP● User data synced into Active Directory
● Universal ID card with RFID, Bank Account, VISA/MasterCard, and photo
● Two authentication paths● User/Password: Active Directory (LDAP, RADIUS)● RFID ID Card: RFID system linked to SAP and AD
● Network access using 802.1X● Full remote access with SSL VPN
![Page 5: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/5.jpg)
![Page 6: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/6.jpg)
Universal ID Card
● One photo ID for all ID card roles● Linked bank account● Debit card with VISA/MasterCard
● Used for campus purchases● RFID capability
● Building access – with security personnel● Room access – without personnel● Library
● Prepaid RFID card for long term guests
![Page 7: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/7.jpg)
SAP Unified Database
● Combines previous separate DBs ● Finance, Registrar, Library, HR, Property
● All user data stored here● Includes RFID code, Class registrations, Grades,
Fees owed● Updates pushed to AD● AD handles password authentication
● SAP Web Portal provides student services● Campus transactions sent to SAP by bank● Clustered servers for redundancy
![Page 8: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/8.jpg)
SAP-Driven Authorization
● Builds dynamic groups in AD● Class groups● Department groups● Role groups
– students, seniors, grad students, faculty, staff, etc
● Granular access to services● Lab access to those in the department● After hour lab access to faculty, seniors● Virtual Classroom / LMS access to class group● Special application access through Citrix XenApp
![Page 9: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/9.jpg)
Active Directory
● Provides User / Password authentication● Content updated via SAP synchronization
● Except for passwords● User sync and auth via LDAP
● Adobe Connect, Email, XenDesktop● Authentication via RADIUS
● Device management, SSL VPN, Moodle, 802.1X, SAP
● Well established redundancy
![Page 10: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/10.jpg)
Wireless Access with 802.1X
● WPA2 Enterprise provides best security● 802.1X with dynamic VLANs gives granular
access control● Guest VLAN
● Guest SSID ● Secure SSID failure● Proxied web access only
● Client app to configure 802.1X on devices● Seamless hand-off between Access Points
![Page 11: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/11.jpg)
Network Access Control
● Dynamic VLANs based on AD groups● Standard ACLs for access control
● Only IT allowed to access device management● Limited access to user devices
● Time-based ACLs● On-demand web restrictions during class time
● Granular Quality of Service (QoS)● Guaranteed bandwidth for administration, faculty,
classes● Limited bandwidth for guests
![Page 12: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/12.jpg)
Business Case: Features
● One user database and centralized management simplifies support
● Campus merchant fees universally enforced● Complete user analytics
● Financial● Security● IT resource use● Education resource use
![Page 13: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/13.jpg)
Business Case: Universal ID
Costs/Revenue Current Planned
Card Issuing costs -$560.00 $0.00
Start-up project cost $0.00 -$53,000.00
Revenue to AUCA from partnering bank $0.00 $250,000.00
Revenue from vendor transactions on campus $0.00 $60,000.00
Total initial revenue/costs -$560.00 $257,000.00
Total Annual Revenue/Costs -$560.00 $310,000.00
![Page 14: Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO](https://reader035.vdocuments.us/reader035/viewer/2022072011/56649e015503460f94aea4b4/html5/thumbnails/14.jpg)
Questions?