Unified Student-CentricUnified Student-CentricAuthentication and AuthorizationAuthentication and Authorization

Nathan WilderNathan WilderSpecial Assistant - TechnologySpecial Assistant - Technology

Office of the CIOOffice of the CIO

Authentication in Academia

● Students are neither public nor employees● Faculty have difficult to define access needs● General use wireless internet● High volume non-public facility access● Remote access is becoming critical● Large user base relative to budget

AUCA – Legacy Approach

● Building access: basic photo ID● Library access: independent barcode ID● Finance: separate ID number● LAN: classroom and lab PCs with Active

Directory● Wireless: open WiFi with proxied web only● Email: separate user/password● Purchases: cash, no student banking services

AUCA-ng (next generation)

● Unified database under SAP● User data synced into Active Directory

● Universal ID card with RFID, Bank Account, VISA/MasterCard, and photo

● Two authentication paths● User/Password: Active Directory (LDAP, RADIUS)● RFID ID Card: RFID system linked to SAP and AD

● Network access using 802.1X● Full remote access with SSL VPN

Universal ID Card

● One photo ID for all ID card roles● Linked bank account● Debit card with VISA/MasterCard

● Used for campus purchases● RFID capability

● Building access – with security personnel● Room access – without personnel● Library

● Prepaid RFID card for long term guests

SAP Unified Database

● Combines previous separate DBs ● Finance, Registrar, Library, HR, Property

● All user data stored here● Includes RFID code, Class registrations, Grades,

Fees owed● Updates pushed to AD● AD handles password authentication

● SAP Web Portal provides student services● Campus transactions sent to SAP by bank● Clustered servers for redundancy

SAP-Driven Authorization

● Builds dynamic groups in AD● Class groups● Department groups● Role groups

– students, seniors, grad students, faculty, staff, etc

● Granular access to services● Lab access to those in the department● After hour lab access to faculty, seniors● Virtual Classroom / LMS access to class group● Special application access through Citrix XenApp

Active Directory

● Provides User / Password authentication● Content updated via SAP synchronization

● Except for passwords● User sync and auth via LDAP

● Adobe Connect, Email, XenDesktop● Authentication via RADIUS

● Device management, SSL VPN, Moodle, 802.1X, SAP

● Well established redundancy

Wireless Access with 802.1X

● WPA2 Enterprise provides best security● 802.1X with dynamic VLANs gives granular

access control● Guest VLAN

● Guest SSID ● Secure SSID failure● Proxied web access only

● Client app to configure 802.1X on devices● Seamless hand-off between Access Points

Network Access Control

● Dynamic VLANs based on AD groups● Standard ACLs for access control

● Only IT allowed to access device management● Limited access to user devices

● Time-based ACLs● On-demand web restrictions during class time

● Granular Quality of Service (QoS)● Guaranteed bandwidth for administration, faculty,

classes● Limited bandwidth for guests

Business Case: Features

● One user database and centralized management simplifies support

● Campus merchant fees universally enforced● Complete user analytics

● Financial● Security● IT resource use● Education resource use

Business Case: Universal ID

Costs/Revenue Current Planned

Card Issuing costs -$560.00 $0.00

Start-up project cost $0.00 -$53,000.00

Revenue to AUCA from partnering bank $0.00 $250,000.00

Revenue from vendor transactions on campus $0.00 $60,000.00

Total initial revenue/costs -$560.00 $257,000.00

Total Annual Revenue/Costs -$560.00 $310,000.00

Questions?