Check Back Soon for More FAQs
The project team will continue to add FAQs and update project details as work progresses.
Overview
The objective of this project is to investigate, test, purchase and deploy a new enterprise network access control (NAC) solution for Wi-Fi that will replace the existing NAC solution, as well as the existing UCB Wireless and UCB Guest Wi-Fi networks. The eduroam Wi-Fi network will not be affected.
The new NAC solution will have:
Features specific to CU Secure (replacing UCB Wireless):
- An optimized end-user experience, including smoother onboarding of personally owned devices
- IdentiKey-based login and authentication
- Enterprise-grade encryption for authorized users
- Secure onboarding of business-critical internet of things (IoT) devices used by university business units or research
- Better integration with CU Boulder's secure computing standard for computers
Features specific to CU Guest (replacing UCB Guest):
- Better authentication and audit trail for users who register on campus's secondary Wi-Fi network
- Self-enrollment of gaming consoles, smart TVs and other consumer headless Wi-Fi devices
- An option for conference or event organizers with an IdentiKey to create temporary guest accounts for attendees in advance of the event
- The ability for IdentiKey users to use the secondary network to download the primary network's registration app
Project timeline
- March/April 2025: Confirm and prioritize business and technical requirements.
- April–May 2025: Select the vendors and provisionally purchase solutions based on campus standards. Backout will be possible if the agreed-upon success conditions are not met.
- June–August 2025: Perform single-building pilot testing in the Computing Center (COMP) to evaluate the workflow for each use case and the configuration's compatibility with OIT systems.
- June–September 2025: Prepare for multi-building pilot testing.
- October–December 2025: Perform multi-building pilot testing in 3–4 campus buildings.
- Finalize the wired and Wi-Fi network configuration for full-campus deployment.
- Complete training on system operations, troubleshooting and provisioning.
- Finalize the incident management framework.
- Publish documentation for end users.
- Plan and send communications to help end users onboard their devices to the campus Wi-Fi networks.
- January 2026: Deploy the new Wi-Fi NAC system campuswide. Replace UCB Wireless and UCB Guest with the new Wi-Fi networks.
Why is this project needed?
The current NAC solution, deployed in 2023, was a stopgap measure to quickly address incompatibilities between the previous NAC and the secure computing initiative.
OIT has identified multiple issues with the current NAC solution that are addressed in the project requirements, including:
- Issues with network registration stability
- Reliance upon Wi-Fi MAC addresses for authentication
- Lack of encryption for UCB Wireless
- Insufficient auditing tools for UCB Guest
- Inability for users to self-enroll consumer headless Wi-Fi devices
How will this affect me?
Pilot Testing (June–Dec. 2025)
During pilot testing:
- The new Wi-Fi networks will only be available in pilot buildings.
- The existing Wi-Fi networks (UCB Wireless and UCB Guest) will only be available in non-pilot buildings.
All users will be encouraged to download the CU Secure app on personal devices ahead of the multi-building pilot to support a smooth transition between pilot and non-pilot buildings. DDS customers and those using Secure Computing devices should not need to take any action to prepare their systems for the
Registering on CU Secure
The campus's primary Wi-Fi network (UCB Wireless > CU Secure) is configured for daily use by CU Boulder faculty, staff and students.
On the new NAC solution, IdentiKey users will need to complete a one-time download of the Wi-Fi registration app on each of their devices (e.g., laptop, smartphone), then log in using their IdentiKey credentials.
Reauthentication will be required relatively rarely; the exact timing will be determined over the course of the project.
Registering on CU Guest
Guest Self Enrollment
The campus's secondary Wi-Fi network (UCB Guest > CU Guest) is configured for temporary use by CU Boulder guests.
On the new NAC solution, guests will need to complete a brief registration form to receive a temporary username and password. Reauthentication will be required relatively frequently; the exact timing will be determined over the course of the project.
Guest Bulk Enrollment
A conference or event organizer with an IdentiKey will have the option to create and distribute temporary guest accounts for attendees in advance of the event.
Personally Owned Device Enrollment
Students, faculty and staff will have the ability to self-register any personally owned screenless devices, like gaming consoles, smart TVs and smart home devices. Right now, users have no way to enroll these devices themselves. Instead, they have to look up the device's Wi-Fi MAC address and submit a request to the IT Service Center to manually enroll the device on the campus Wi-Fi network.
Campuswide Implementation (Jan. 2026)
Those users who registered on CU Secure during the testing period will automatically transition to that network when UCB Wireless and UCB Guest are deactivated.
OIT will encourage all other users to download the CU Secure app in advance of the campuswide implementation through multiple channels (e.g., posters, emails, newsletter articles) to limit disruptions.
Frequently Asked Questions
Which Wi-Fi network should I use?
If you're not in an active proof-of-concept building, please refer to the table below.
| Wi-Fi Network | Who should use it | Login Requirement |
|---|---|---|
| UCB Wireless | All CU Boulder affiliates with an active IdentiKey | Once every 12 months |
| eduroam | Faculty, staff, students and visitors from institutions that use eduroam | Once every 12 months |
| UCB Guest | Guests visiting the CU Boulder campus | Daily |
If you are in an active pilot building, your Wi-Fi options will differ from the rest of campus, as shown below.
| Wi-Fi Network | Who should use it |
|---|---|
| CU Secure | All CU Boulder affiliates with an active IdentiKey |
| eduroam | Faculty, staff, students and visitors from institutions that use eduroam |
| CU Guest | Guests visiting the CU Boulder campus IdentiKey users adding a gaming console or smart TV to campus Wi-Fi |
Will this project solve every Wi-Fi problem on campus?
No. This project is scoped to address the Wi-Fi problems discussed above, including improving network registration stability and allowing users to self-enroll their gaming consoles, smart TVs and other consumer headless Wi-Fi devices.
Issues that are out of scope for this project include those related to poor connectivity in certain areas of campus and the wireless network provided by your mobile carrier (e.g., Verizon, T-Mobile, AT&T).
How do I download the CU Secure app on my personal device if I'm already in an active pilot building?
If you don't pre-download the app for the CU Secure Wi-Fi network, it's possible you could find yourself in a campus location where you can't connect to your mobile carrier's data network to download the app at that time.
If that happens:
- Open your available networks list.
- Select CU Guest.
- On the decision page, select I have an IdentiKey.
- Click the link to download the CU Secure app.
Contact Us
If you have project-related questions, send an email to oithelp@colorado.edu with Wi-Fi NAC Replacement Project in the subject line.
