Wi-Fi Network Access Control (NAC) Replacement Project

  Check Back Soon for More FAQs

The project team will continue to add FAQs and update project details as work progresses.

 
 

Overview

The objective of this project is to investigate, test, purchase and deploy a new enterprise network access control (NAC) solution for Wi-Fi that will replace the existing NAC solution, as well as the existing UCB Wireless and UCB Guest Wi-Fi networks. The eduroam Wi-Fi network will not be affected.

The new NAC solution will have:

A robust and scalable architecture for higher education
A single interface for system administration, reporting and troubleshooting
Alignment with the secure computing project and compatibility with OIT Security's cybersecurity tools

Features specific to CU Secure (replacing UCB Wireless):

  • An optimized end-user experience, including smoother onboarding of personally owned devices
  • IdentiKey-based login and authentication
  • Enterprise-grade encryption for authorized users
  • Secure onboarding of business-critical internet of things (IoT) devices used by university business units or research
  • Better integration with CU Boulder's secure computing standard for computers

Features specific to CU Guest (replacing UCB Guest):

  • Better authentication and audit trail for users who register on campus's secondary Wi-Fi network
  • Self-enrollment of gaming consoles, smart TVs and other consumer headless Wi-Fi devices
  • An option for conference or event organizers with an IdentiKey to create temporary guest accounts for attendees in advance of the event
  • The ability for IdentiKey users to use the secondary network to download the primary network's registration app
 

Project timeline

  • March/April 2025: Confirm and prioritize business and technical requirements.
  • April–June 2025: Select the vendors and provisionally purchase solutions based on campus standards. Backout will be possible if the agreed-upon success conditions are not met.
  • July–August 2025: Perform single-building pilot testing in the Computing Center (COMP) to evaluate the workflow for each use case and the configuration's compatibility with OIT systems.
  • July–September 2025: Prepare for multi-building pilot testing.
  • October–December 2025: Perform multi-building pilot testing in 3–4 campus buildings.
    • Finalize the wired and Wi-Fi network configuration for full-campus deployment.
    • Complete training on system operations, troubleshooting and provisioning.
    • Finalize the incident management framework.
    • Publish documentation for end users.
    • Plan and send communications to help end users onboard their devices to the campus Wi-Fi networks.
  • January 2026: Deploy the new Wi-Fi NAC system campuswide. Replace UCB Wireless and UCB Guest with the new Wi-Fi networks.
 

Why is this project needed?

The current NAC solution, deployed in 2023, was a stopgap measure to quickly address incompatibilities between the previous NAC and the secure computing initiative.

OIT has identified multiple issues with the current NAC solution that are addressed in the project requirements, including:

  • Issues with network registration stability
  • Reliance upon Wi-Fi MAC addresses for authentication
  • Lack of encryption for UCB Wireless
  • Insufficient auditing tools for UCB Guest
  • Inability for users to self-enroll consumer headless Wi-Fi devices
 

How will this affect me?

Pilot Testing (July–Dec. 2025)

The existing campus Wi-Fi networks, UCB Wireless and UCB Guest, will remain available in all non-pilot buildings during testing. All campus users will be encouraged to register on the new networks but will only connect to them when in an active pilot building. 

Registering on CU Secure

CU Secure will be optimized for daily use by CU Boulder faculty, staff and students.

Before connecting to CU Secure for the first time, IdentiKey users will need to download and install the CU Secure certificate on each of their devices (e.g., laptop, smartphone). Once installed, the certificate will allow the device to automatically connect to CU Secure when in range.

Reauthentication will be required relatively rarely; the exact timing will be determined over the course of the project.

Registering on CU Guest
Guest Self Enrollment

On the new NAC solution, guests will need to complete a brief registration form to receive a temporary username and password. Reauthentication will be required relatively frequently; the exact timing will be determined over the course of the project.

Guest Bulk Enrollment

A conference or event organizer with an IdentiKey will have the option to create and distribute temporary guest accounts for attendees in advance of the event.

Personally Owned Device Enrollment

Students, faculty and staff will have the ability to self-register any personally owned screenless devices, like gaming consoles, smart TVs and smart home devices. Right now, users have no way to enroll these devices themselves and instead have to provide the device's Wi-Fi MAC address to the IT Service Center for manual enrollment on the campus Wi-Fi network.

Campuswide Implementation (Jan. 2026)

Secure Computing Devices

OIT plans to push the CU Secure certificate to all Secure Computing devices and most other managed devices in late summer or early fall 2025.

This process will install the certificate in the background with no user intervention and will allow the device to automatically connect to the CU Secure Wi-Fi network whenever it's in range.

Personal & Unmanaged Devices

Users who installed the CU Secure certificate in advance should automatically connect to the CU Secure Wi-Fi network once OIT deactivates UCB Wireless and UCB Guest across campus.

To limit disruptions, OIT will strongly encourage all others to download the CU Secure certificate on their personal and unmanaged devices before returning to campus for spring 2026.

 

Frequently Asked Questions

Which Wi-Fi network should I use?

If you're not in an active proof-of-concept building, please refer to the table below.

Wi-Fi NetworkWho should use itLogin Requirement
UCB WirelessAll CU Boulder affiliates with an active IdentiKeyOnce every 12 months
eduroamFaculty, staff, students and visitors from institutions that use eduroamOnce every 12 months
UCB GuestGuests visiting the CU Boulder campusDaily

If you are in an active pilot building, your Wi-Fi options will differ from the rest of campus, as shown below.

Wi-Fi NetworkWho should use it
CU SecureAll CU Boulder affiliates with an active IdentiKey
eduroamFaculty, staff, students and visitors from institutions that use eduroam
CU Guest

Guests visiting the CU Boulder campus

IdentiKey users adding a gaming console or smart TV to campus Wi-Fi

Will this project solve every Wi-Fi problem on campus?

No. This project is scoped to address the Wi-Fi problems discussed above, including improving network registration stability and allowing users to self-enroll their gaming consoles, smart TVs and other screenless Wi-Fi devices.

Issues that are out of scope for this project include those related to poor connectivity in certain areas of campus, outdoor Wi-Fi coverage, and the cellular network provided by mobile carriers (e.g., Verizon, T-Mobile, AT&T).

 

Contact Us

If you have project-related questions, send an email to (link sends email)oithelp@colorado.edu with Wi-Fi NAC Replacement Project in the subject line.