Wi-Fi Network Access Control (NAC) Replacement Project

  Check Back Soon for More FAQs

The project team will continue to add FAQs and update project details as work progresses.

 
 

Overview

The objective of this project is to investigate, test, purchase and deploy a new enterprise network access control (NAC) solution for Wi-Fi that will replace the existing NAC solution, as well as the existing UCB Wireless and UCB Guest Wi-Fi networks. The eduroam Wi-Fi network will not be affected.

The new NAC solution will have:

A robust and scalable architecture for higher education
A single interface for system administration, reporting and troubleshooting
Alignment with the secure computing project and compatibility with OIT Security's cybersecurity tools

Additional features specific to the primary Wi-Fi network (currently UCB Wireless):

  1. An optimized end-user experience, including smoother onboarding of personally owned devices
  2. IdentiKey-based login and authentication
  3. Enterprise-grade encryption for authorized users
  4. Secure onboarding of business-critical internet of things (IoT) devices used by university business units or research
  5. Better integration with CU Boulder's secure computing standard for computers

Additional features specific to the secondary Wi-Fi network (currently UCB Guest):

  1. Better authentication and audit trail for users who register on campus's secondary Wi-Fi network
  2. Self-enrollment of gaming consoles, smart TVs and other consumer headless Wi-Fi devices
  3. An option for conference or event organizers with an IdentiKey to create temporary guest accounts for attendees in advance of the event
  4. The ability for IdentiKey users to use the secondary network to download the primary network's registration app
 

Project timeline

  • March/April 2025: Confirm and prioritize business and technical requirements.
  • April 2025: Select the vendors and provisionally purchase solutions based on campus standards. Backout will be possible if the agreed-upon success conditions are not met.
  • May–August 2025: Perform lab proof-of-concept testing in the Computing Center (COMP) building to evaluate the workflow for each use case and the configuration's compatibility with OIT systems.
  • May–September 2025: Prepare for live proof-of-concept testing.
  • October–December 2025: Perform live proof-of-concept testing in select campus buildings.
    • Finalize the wired and Wi-Fi network configuration for full-campus deployment, including SSID renaming and contingency planning.
    • Complete training on system operations, troubleshooting and provisioning.
    • Finalize the incident management framework.
    • Publish documentation for end users.
    • Plan and send communications to help end users onboard their devices to the campus Wi-Fi networks.
  • January 2026: Deploy the new Wi-Fi NAC system campuswide. Replace UCB Wireless and UCB Guest with the new Wi-Fi networks.
 

Why is this project needed?

The current NAC solution, deployed in 2023, was a stopgap measure to quickly address incompatibilities between the previous NAC and the secure computing initiative.

OIT has identified multiple issues with the current NAC solution that are addressed in the project requirements, including:

  • Issues with network registration stability
  • Reliance upon Wi-Fi MAC addresses for authentication
  • Lack of encryption for UCB Wireless
  • Insufficient auditing tools for UCB Guest
  • Inability for users to self-enroll consumer headless Wi-Fi devices
 

How will this affect me?

Proof-of-Concept Testing (April–Dec. 2025)

The existing campus Wi-Fi networks, UCB Wireless and UCB Guest, will remain available to campus users throughout testing. Everyone will be encouraged to register on the new networks but will only be able to access them from an active proof-of-concept building.

Registering on the Primary Network

The campus's primary Wi-Fi network (currently UCB Wireless) is configured for daily use by CU Boulder faculty, staff and students.

On the new NAC solution, IdentiKey users will need to complete a one-time download of the Wi-Fi registration app on each of their devices (e.g., laptop, smart phone), then log in using their IdentiKey credentials.

Reauthentication will be required relatively rarely; the exact timing will be determined over the course of the project.

Registering on the Secondary/Guest Network
Guest Self Enrollment

On the new NAC solution, guests will need to complete a brief registration form to receive a temporary username and password. Reauthentication will be required relatively frequently; the exact timing will be determined over the course of the project.

Guest Bulk Enrollment

A conference or event organizer with an IdentiKey will have the option to create and distribute temporary guest accounts for attendees in advance of the event.

Personally Owned Device Enrollment

Students, faculty and staff will have the ability to self-register any personally owned "headless" devices, like gaming consoles, smart TVs and smart home devices. Right now, users have no way to enroll these devices themselves. Instead, they have to look up the device's Wi-Fi MAC address and submit a request to the IT Service Center to manually enroll the device on the campus Wi-Fi network.

Campuswide Implementation (Jan. 2026)

Those users who joined the new primary Wi-Fi network during the testing period will automatically transition to that network when UCB Wireless and UCB Guest are deactivated.

OIT will encourage all other users to download the primary Wi-Fi network app in advance of the campuswide implementation through multiple channels (e.g., posters, emails, newsletter articles) to limit disruptions.

 

Frequently Asked Questions

Which Wi-Fi network should I use?

If you're not in an active proof-of-concept building, please refer to the table below.

Wi-Fi NetworkWho should use itLogin Requirement
UCB WirelessAll CU Boulder affiliates with an active IdentiKeyOnce every 12 months
eduroamFaculty, staff, students and visitors from institutions that use eduroamOnce every 12 months
UCB GuestGuests visiting the CU Boulder campusDaily

If you are in an active proof-of-concept building, your Wi-Fi options will differ from the rest of campus, as shown below.

Wi-Fi NetworkWho should use it
Primary Wi-Fi networkAll CU Boulder affiliates with an active IdentiKey
eduroamFaculty, staff, students and visitors from institutions that use eduroam
Secondary Wi-Fi network

Guests visiting the CU Boulder campus

IdentiKey users adding a gaming console or smart TV to campus Wi-Fi

Will this project solve every Wi-Fi problem on campus?

No. This project is scoped to address the Wi-Fi problems discussed above, including improving network registration stability and allowing users to self-enroll their gaming consoles, smart TVs and other consumer headless Wi-Fi devices.

Issues that are out of scope for this project include those related to poor connectivity in certain areas of campus and the wireless network provided by your mobile carrier (e.g., Verizon, T-Mobile, AT&T).

How do I download the primary Wi-Fi network app if I'm on campus and don't have cell service?

If you don't pre-download the app for campus's primary Wi-Fi network, it's possible you could find yourself in a campus location where you can't connect to your mobile carrier's data network to download the app on demand.

If this happens:

  1. Register on CU Boulder's secondary Wi-Fi network.
  2. Use that connection to download the primary Wi-Fi network's app.
  3. Use that app to log in to the campus's primary Wi-Fi network.
 

Contact Us

If you have project-related questions, send an email to (link sends email)oithelp@colorado.edu with Wi-Fi NAC Replacement Project in the subject line.