students-using-laptopThe adoption of 1:1 computing programs and online K-12 learning programs are driving an industry-wide move toward accessible network access. In East Grand Rapids Public Schools, and in school districts nationwide, requirements to provide students and teachers with easy access to online tools and the internet are paramount to creating an effective learning environment.

With today’s budget cuts, the only sustainable way to provide 1:1 computing is to allow students to bring their own computers to school. Deploying a network access control (NAC) solution that supports a multi-vendor environment, wireless and wired networks, and multiple computing device types is a necessary best practice for accomplishing this.

We talk a lot about “democratizing student access to technology” around here–letting students choose the computing platforms and learning tools that work best for them. NAC gives students access to networks and learning resources using the devices of their choice, and keeps them off restricted networks while providing the security and malware protection that prevent network outages.

At our school district, which has 2,900 students and close to 500 employees, our challenges include providing access to technology while segmenting network resources so that students do not have access to private information (such as staff and administrative data) all while managing a tight budget. Before NAC, granting individual access and appropriate privileges to printers, applications (such as Moodle educational software, our learning management system of online books and learning tools), and the internet was a constant issue.

The need for this NAC best practice grew in 2003, when a committee of students, staff, administrators, and school board members decided that the use of students’ personal devices on campus was needed, initiating what we call our “Allow Program.” Before our NAC best practice was in place, at that time securing access privileges meant that students had to fill out forms, and meet with IT to evaluate their machines and discuss procedures–for example, there is no file sharing allowed. After this lengthy process, the student’s device was manually configured for access to the district’s wireless network. This took a lot of time and was a deterrent for students, and initially only 17 participants joined to the program. We clearly saw that the time spent to secure access for each student’s machine was a hassle and hindered their participation.

We knew we needed to make this easier, and we had to take the IT team out of the process. I learned that a NAC solution would automate this process, and then spent time researching what would work best for our network. Among the many best practices I discovered is that a NAC solution needs to support open standards–our NAC solution could not dictate the directory services or the brands of infrastructure we use. A policy-based solution would also help with differentiating access, and deploying 802.1X WLAN security.

I initially looked at solutions from Cisco, Juniper Networks, Sophos and Symantec, but none delivered the functionality I needed. I also struggled with vendor lock-in from these solutions, since they didn’t rely on open standards. They also supported a limited number of operating systems and user device types.

I learned about Avenda Systems and its identity-aware access control platform called eTIPS at an Interop event. The Avenda platform could centrally manage policies across all access methods and frameworks, and it included the tools we needed to easily register our students and their devices. It would also work with our entire district’s existing network infrastructure, and identity stores. 802.1X security authentication and authorization mechanisms were also important.

With a NAC solution, we could see improving our security, and eliminating the manual provisioning of guest access. We could see how participation in our Allow Program would increase, because students wouldn’t have to meet with the tech guys anymore.

As a result, we deployed our NAC solution, which allows us to set granular access policies for staff and students, and also guests, by identity, role, assessment of their devices, etc. Provided templates for deploying 802.1X and wireless infrastructure polices were also helpful. The NAC solution supported our mix of network components, which was critical, including Siemens wireless controllers, Enterasys LAN switches, and server platforms running Apple, Novell, Linux, Windows, and OS2 operating systems. We also support a mix of Windows, Linux, and Mac student machines.