OIT Office of Information Technology
| Menu
Students with laptop computers

New CU Secure Wi-Fi: What you need to know

Submitted by stauffeg
on
 

A better, more reliable and secure Wi-Fi network is rolling out across CU Boulder in support of the campus priority to align our resources to our mission and support student, faculty and staff success. During the winter break, CU Secure and CU Guest will replace UCB Wireless and UCB Guest. To use the new CU Secure network that is replacing UCB Wireless, students, faculty and staff will need to register their devices in advance by installing a certificate. Learn more about CU Secure and how to register.

Because CU Secure uses certificate-based authentication instead of password-based authentication like UCB Wireless, some people have asked questions about how the new network makes our campus more secure, protects their privacy and if it blocks access to certain sites or resources. Your questions were posed to our Vice Chancellor of Information Technology, Marin Stanek, PhD, to help clarify any misconceptions of this new service and how it serves the myriad and diverse networking needs for our students, faculty, staff, and guests, while protecting your privacy and access to online resources to fulfill the teaching and research missions.

 
 

Q: Why do we need to update our Wi-Fi infrastructure?
Marin: The current system has fundamental limitations that are affecting the day-to-day teaching and research that happens on our campus. Most notably, this old system is incompatible with standard security features on newer devices, like Apple's Private Wi-Fi Address feature, which is why you may experience dropped connections in the middle of classes or meetings.

Our new Wi-Fi infrastructure fixes these compatibility issues and adds end-to-end encryption, which is what all R1 institutions are moving to for academic and research data protection. It also enhances device registration so you don’t need to frequently re-authenticate or work with OIT to connect lab equipment and IoT devices. It’s also really slick and responsive.

The authentication is certificate-based, meaning once you have the certificate installed, you will not be bothered to reauthenticate for two years. Also, the onboarding process improves your ability to get a visiting researcher or guest speaker online, too.

Q: Why does the updated Wi-Fi require us to install a certificate?
Marin: Most public Wi-Fi networks are unencrypted and use passwords or Wi-Fi MAC addresses for authentication rather than certificates. Those authentication methods are outdated and riskier for institutions like CU Boulder where lost and stolen passwords expose us to data breaches. Also, device updates can cause Wi-Fi MAC address authentication to fail, which we have heard repeatedly from listening to students, as well as faculty and staff, is incredibly frustrating.

Like Eduroam, the secure wireless network that is on our campus and at other institutions around the world, CU Secure relies on a certificate to:

  • Automatically authenticate your device onto the Wi-Fi network, avoiding the annoyance of having to enter a username and password to connect.
  • Ensure your device connects to our network rather than an imitation network designed to eavesdrop on your communications or steal your passwords.
  • Allow your device to reliably connect to the network regardless of your device’s Wi-Fi MAC address or other configuration settings.

Q: What makes certificate-based authentication better than password-based authentication?
Marin: This new Wi-Fi is so much simpler to access the network and is generally quicker upon initial connection to the network. It is exciting because it automatically provides better compatibility with a wide range of devices, including working with Apple’s Private Wi-Fi or Android's MAC randomization features. This upgrade to our wifi environment is part of our strategic modernization efforts that we are hearing are critical for our students and their success, as well as for our researchers who are increasingly being targeted for their intellectual property and knowledge creation. Certificates use public/private keys which are mathematically more difficult to crack than passwords. This protects our campus community from those who are not part of our community.

Q: By installing this certificate on my computer, am I giving up a certain amount of privacy compared to the old network that had password-based authentication?
Marin: No, certificates do not give IT visibility into your activity or data. The certificate verifies that the device you are trying to connect to the network belongs to you, a credentialed and trusted member of our campus community, not an imposter. The certificate system is similar to the one used with the Eduroam Wi-Fi network, which is available at universities across the globe.

Q: What kind of information does CU Secure collect about my connections and internet browsing sessions?
Marin: I know there is some misunderstanding circulating that this new certificate-based Wi-Fi is somehow collecting browsing history or files. That is simply not true. It collects the same limited connection metadata that the current system always has, which may include some or all of the following depending on the scenario:

  • Timestamp of connection
  • Device Wi-Fi MAC address
  • Your IdentiKey username or email address
  • Device model and operating system
  • Relative location of device on campus

OIT collects this information so it can efficiently troubleshoot and resolve Wi-Fi connectivity and performance issues of our customers. OIT also uses this information to upgrade the Wi-Fi networks to handle the growing needs of students, faculty and staff.

Q: What information do I need to share to register for CU Secure?
Marin: CU Secure does not require administrator user rights to complete the certificate installation and does not need administrator user rights to operate. For personal and non-Secure Computing devices, the connection uses first name, last name, email address, IdentiKey username, and the device’s operating system. For Secure Computing devices, which is increasingly the standard for employees, it only uses the device’s serial number.

Q: Will the new Wi-Fi block me from using any tools I can use on UCB Wireless like Chat GPT, Tik Tok or Instagram?
Marin: No, there is no difference in what CU Secure and UCB Wireless allow access to. CU Secure will in no way limit your access to the sites and services you can currently access.

Q: Why should I be on CU Secure vs. CU Guest?
Marin: CU Secure is designed for all CU Boulder affiliates with an active IdentiKey and provides full access to campus resources, including protected servers and services. CU Guest is designed for campus visitors and offers only basic web and email access. Because CU Guest is intended for guest access only, it bars access to certain campus online resources and requires guests to re-register daily. Our campus community, which has roughly 120,000 Wi-Fi connections a day, needs to transition to CU Secure for a more modern, secure Wi-Fi experience.

Q: Anything else you would like to add?
Marin: Please spread the word about how to get prepared for CU Secure before the end of the semester so more people can seamlessly connect when the spring semester starts. Regardless of the various communications OIT sends out to the campus community, the most effective way to create change is through colleagues and friends that understand what we are doing to support the campus.