UF Wireless Network Security Features
The wireless network on the University of Florida uses several methods to help ensure security for connected devices. Devices connecting to this wireless network will use 802.1x based authentication for secure and easier authentication to the network. All communication across this network will also be encrypted with WPA2 wireless encryption to help ensure user data privacy. This network will also be policed by a Network Access Control (NAC) posture assessment system that will check user devices for security compliance before they are allowed to connect to the wireless network.
Why am I being onboarded to eduroam and not "uf"?
This is part of a long term project to migrate all wireless devices currently on the "UF" wireless network (SSID) and move them over to eduroam. Eduroam provides the exact same wireless experience as UF does while the device is on campus. Users will obtain IP addresses in the same range, experience the same performance, and will be placed into the same security posture while on campus. While off campus, devices which are configured for eduroam will be able to automatically connect to any of over 6000 eduroam wireless networks around the world.
During phase 1 of this project, only new devices which run through the onboarding process are being targeted to connect to eduroam. Existing wireless devices may continue to use the "UF" SSID without issue. Users are encouraged to run their existing devices through getonline to enjoy this new capability while retaining all the features of the current university wireless network.
For more information on the project, please see:
What is WPA2?
WPA2 is a standard for encrypted communication over wireless networks. WPA2 offers higher level encryption than previous standards like WEP or WPA and utilizes advanced AES-based encryption. This encrypts all communication between the computer and the wireless network.
What is 802.1x?
802.1x is a standard for exchanging secured authentication over a network. 802.1x prevents devices from connecting to a network until they have successfully been authenticated. Using 802.1x authentication also allows for automatic authentication by the device without requiring the user to manually login every time they connect to the wireless network.
How do I configure my device for 802.1x?
Instructions for configuring your device for the campus 802.1x network are available at http://getonline.ufl.edu. Configuration for 802.1x on some devices is fairly easy and on other devices it can be somewhat involved. It is recommended that you use the auto-configuration option if possible as it takes care of several potential installation issues. There are however also manual configuration instructions available via the UF HelpDesk Wiki.
What is Cloudpath?
Cloudpath is the auto configuration tool available for configuring client devices for 802.1x. This is the tool that launches when you click the "Auto Configuration" at http://getonline.ufl.edu. Once a device is successfully connected to the 'eduroam' netwok it should not need to be used again unless the device needs to be reconfigured or if the user's password is changed.
Do I have to run the Cloudpath configuration?
You do not have to use the Cloudpath tool to configure your device for 802.1x. It does however perform several useful functions. It eliminates common configuration mistakes. It installs the proper security certificate for the authentication servers so your client will trust the servers it authenticates with and not keep asking the user to trust them. For Windows and MacOS platforms it also installs the SafeConnect client which will be required for access through the NAC system. The Cloudpath process is also updated periodically to address device specific configuration issues that may arise. These items can all be done seperately but the Cloudpath process allows it to all be done automatically.
What if the Cloudpath auto configuration process doesn't work?
If you are unable to use the Cloudpath configuration process for any reason you can try setting up the 802.1x configuration yourself by following the manual configuration instructions. If you are still having trouble getting 802.1x configured please contact the Help Desk.
What is NAC?
NAC stands for Network Access Control. NAC is a general term used to describe many different types of security systems that control what devices are permitted to connect to a network. Here at UF we are using a NAC system that focuses specifically on client posture assessment. Posture assessment is the process of inspecting client devices to ensure that they meet defined security requirements.
Why are we using a NAC system?
The NAC system is part of the University's effort to help keep attached computers as free as possible from viruses, spyware, and operating system security holes. This helps to maintain the security of the University network and to lower risk associated with compromised and infected computers. Machines protected in this way also generally perform much better and incur much less downtime due to damage caused by malicious software. The NAC system can help to ensure that the average user has the fastest possible browsing experience while connected to the university's network. It does this by ensuring that communication from malicious software does not flood the University's Internet connection, resulting in much slower connections for legitimate users and also by restricting certain applications that would otherwise consume an unfairly large share of the university's bandwidth, again resulting in a slower connection for the majority of users.
Who has to install the NAC Policy Key software?
The NAC system monitors all devices connected to the 'eduroam' wireless network but specifically requires that all Windows and MacOS computers will need to have the SafeConnect Policy Key installed. The Policy Key is installed as part of the auto-configuration process at http://getonline.ufl.edu or if it's not detected as running the user will be prompted to install the Policy Key when they connect to the 'uf' wireless network. Other operating systems like Linux, iOS, and Android are not currently required to install Policy Key software.
What is the SafeConnect Policy Key?
The Policy Key is a software agent that continuously validates that your system has the minimum security software running and up-to-date as per the university's acceptable use policy. The Policy Key will also certify that certain applications, prohibited by university policy, are not running.
Where can I find the SafeConnect Policy Key if I need to install it manually?
The SafeConnect Policy key is installed as part of the Cloudpath auto configuration utilty provided
at http://getonline.ufl.edu but if you need to
manually install it it can be found at the
For Windows: ServiceInstaller.exe
For MacOS: SafeConnectMacInstaller.zip
What are the requirements being checked for?
The following items are currently being checked for:
* Windows Updates enabled and set to automatically install.
* Supported Anti-virus software installed, active, and current.
* No P2P software running (Bittorrent, Gnutella, Kazaa, utorrent, etc.)
* If installed, the current version of Adobe Flash.
* If installed, the current version of the Java browser plug-in.
* Supported Anti-virus installed, active, and current.
* No P2P software running (Bittorrent, Gnutella, Kazaa, utorrent, etc.).
The following anti-virus programs are supported:
|Microsoft (Security Essentials, SCEP & OneCare)|
What if my computer fails the security checks?
If your system has been determined not to be in compliance, your computer will be "quarantined." You should also be given a message as to the reason for your failed compliance. While quarantined, you will still have access to update servers for your operating system, anti-spyware, and anti-virus software.
What is the most common problem with running the Policy Key software?
The most common problem with running the Policy Key software is firewall and anti-virus software that block the agent from running or communicating. If you have a problem getting the Policy Key to run you should allow it open access inside your firewall and anti-vrus software.
How do I know the Policy Key is running?
On Windows machines with Windows 2000, Windows XP, Windows Vista or Windows 7, you can right-click any blank space on the task bar at the bottom of your screen and select the option "Task Manager". When the Windows Task Manager appears, click the "Processes" tab, and click "Show Processes from All Users". Then look for the processes "SCClient.exe" and "scManager.sys". On Macintosh OSX machines running 10.4 and later, you can open Activity Monitor and choose "Show All Processes". Then look for "SafeConnect" and "scManagerD".
Is the NAC system gathering personal information from my machine?
The Policy Key scans only for Windows update services compliance, anti-virus and anti-spyware status and certain P2P file sharing applications. No user data is collected or stored.
Can I uninstall the SafeConnect Policy Key?
You can uninstall Policy Key at any time; however, if you are connected to the campus wireless system, within minutes you will then be unable to access the Internet. You will be required to reinstall the Policy Key to regain Internet access through the campus wireless system.
What are the different wireless networks 'eduroam' and 'ufgetonline' for?
The 'eduroam' wireless network is used for general day-to-day network access. The 'ufgetonline' wireless network is only for giving users a way to onramp to the 'eduroam' network and assist in configuration to use it. It points users to the getonline.ufl.edu site for assistance with configuring their device. The 'ufgetonline' WLAN should generally only need to be used during initial setup for the 'eduroam' network. The 'ufgetonline' WLAN could however also be used to access the Cloudpath auto-configuration tool for help correcting wireless configuration issues or to reconfigure your wireless profile after a Gatorlink password change.