Network Access Control (NAC) - OnGuard
Network Access Control (NAC) is a networking solution that controls how computers connect to the campus network. Computers that do not meet the security requirements of NAC will not be allowed to connect to the campus network. The purpose of NAC is to prevent computers that lack basic security features from accessing the campus network and placing other computers at risk of cross-contamination from worms and viruses that can permanently harm your computer and computers across the network.
The university is using a product called ClearPass OnGuard that checks your computer to ensure it meets the requirements of NAC along with managing access to the network.
What are the requirements of NAC?
The security requirements of NAC are relatively simple. Only computers that meet the following requirements will be allowed access to the campus network:
- Running a supported operating system (Windows 8+, Mac OSX 10.13+, latest Linux versions of CentOS, Fedora, RHE, SUSE, and Ubuntu)
- System firewall enabled
- Automatic system updates enabled and applied
- Anti-virus program installed with live protection enabled (Anti-virus Options)
Computers running Windows XP, 7, or older versions of the Mac OS will not be able to access the campus network.
*Mobile devices like iPhones, iPads, Android devices, Chromebooks, and others will not be affected by NAC.
OnGuard supported browsers
Who will NAC Affect?
Phase 1 - May 2020 - Residential Wireless (Users living in campus housing and connected to UNF-Wireless using their UNFID)
Phase 2 - December 2020 - BYOD Wireless (Users connecting to UNF-Wireless using their UNFID on a personal device)
Phase 3 - TBD - Wired Housing (All wired ports located in housing dorm rooms)
*Note that guest networks will not be affected by NAC to ensure that corporate owned devices can still connect.
How to Connect
Connect to UNF-Wireless using your UNFID. If the network you are connected to requires NAC, you will be taken to a captive portal page that allows you to download the OnGuard agent. This small application is used to check and enforce the security requirements of computers connected to the network. The captive portal page can be found by opening a modern browser and attempting to connect to any website. (MacOS users, see note in FAQs)
Download and install the agent using the default settings. The agent should run automatically after installation, but if not launch the agent from the programs list. It will then check for policy compliance and report back on health status.
If your system is out of compliance, you will be placed into Quarantine and the agent will display a message stating what needs to be fixed.
Anti-Virus out of date
Question: Why are MacOS users are taken to a blank page or error page after connecting and opening a browser window?
Answer: This is a known problem in later versions of MacOS with any captive portal. To resolve, connect to the network, open a browser and navigate to captive.apple.com, and click the installer under MacOS. Open the downloaded package and follow the instructions from the installer.
Question: Why does Windows SmartScreen say the OnGuard application is not trusted?
Answer: The computer is not able to connect to the SmartScreen service to validate the application that is installed is safe. You can safely click 'Run' in the warning box and continue the installation.
Question: How to I get into compliance while in Quarantine?
Answer: The quarantine network is designed to allow you to download and install OS updates, anti-virus applications, and other updates needed to get back into compliance. Out of date operating systems will need to be upgraded to a supported operating system, which could incur a cost from the vendor (Microsoft). Students have an option of downloading cheaper or free software like Windows 10 from the universities partner, Kivuto. (Link found in the portal) If additional assistance is needed, please contact the UNF Help Desk.
Question: I have Anti-Virus installed, but OnGuard is showing it is missing?
Answer: OnGuard supports a wide range of Anti-Virus applications, but not all of them. A few free options are included on the UNF Anti-Virus webpage under "Public Anti-Virus Options". Those applications have been tested and confirmed to work with OnGuard. If your version of Anti-Virus is not working with OnGuard please try to install one of the confirmed working applications and try again. If additional assistance is needed, please contact the UNF Help Desk.