Info for Technical Contacts
In order to meet increasing demands for reliable and high-speed connectivity, DIT is working on an ambitious initiative to replace and upgrade our campus network.
This initiative aims to modernize our network infrastructure and enhance security to protect us from cyber-threats. As such, the new network promises:
- Enhanced user experience with consistent wired and wireless performance, extending the "at home" experience to all residence halls.
- Improved performance with significant speed increases, supporting up to 5 Gbps for wired connections (with adapter), and facilitating faster data transmission wirelessly.
- Advanced security that ensures authorized network access.
- Access control driven by network policies and roles to guarantee a uniform user experience across all connections and locations.
Phases
Phase 1 - Building Preparation
This phase involves physically preparing buildings for new hardware and other refresh-related changes, including a 55% increase in wireless access points in academic and administrative buildings. It has 3 sub-phases:
Copper Cabling
This cabling work will support additional wireless access points, which will improve UMD wireless service beginning during the next phase of the refresh. This work focuses mainly on hallway ceilings, and it is not expected to disrupt any IT services or normal building activities. See the copper cabling schedule.
Fiber Cabling
The new network design has every 48-port switch connected with dedicated fiber. In some locations, additional fiber is needed to support this design. The fiber cabling phase involves implementing and upgrading fiber optic connections between telecom closets to enhance connectivity, improve data transmission speeds, and ensure a reliable and efficient network. This work focuses mainly on hallway ceilings, and it is not expected to disrupt any IT services or normal building activities.
Power Upgrades
To handle the increase in density of access points, the project has completed power upgrades in telecom closets across campus.
As of the end of the Spring 2024 semester, this Phase 1 is complete in all academic and administrative buildings. It should be complete in all residential buildings by the end of summer 2024.
Phase 2 - Building Hardware Upgrades
This phase entails replacing all building switching and wireless access point equipment while maintaining the current VLAN configuration. Since existing VLANs are being maintained, this upgrade process should result in very little, if any, disruption to end users after the hardware upgrades are complete. Upgrading each building’s equipment will require scheduled outages of networking and telephone service. Division of Information Technology staff and contractors will enter all spaces with wireless access points, including secured areas, to install and connect new networking equipment. The goal is to complete this phase by the end of January 2025.
Additionally during this phase, after a building's hardware upgrade is complete, these steps will happen, so that any new infrastructure or server moves can be completed well in advance of the policy phase of the refresh (phase 3).
Departmental Switches
Switches that are connected to wall jacks will no longer be supported in the new network (phase 3), because network policy will be applied at the wall jack level and won’t support multiple devices connected to the same jack. As such, DIT will be scanning the network to find affected switches so that we can activate/install new jacks.
Server Migration
Servers currently connected to wall ports will no longer be supported in the new network (phase 3). The wired network in buildings will only be able to support users and local resources (i.e., printers). As such, the servers would need to be transitioned to a UMD Managed Data Center.
Definition of UMD Managed Data Center:
- Space is walled off area dedicated to housing computing/IT equipment (i.e., no storage of supplies and no offices).
- Space has a separate HVAC system for the space (i.e., not part of the building HVAC) that is designed for data center operations (i.e., not a residential window unit).
- Space must have a UPS to support the room for at least 30 minutes. For critical operations, a generator is also required.
- Access to the space is controlled by an electronic locking system that tracks and records individuals who have entered the space (and when).
- The space is approved by DIT and FM to be designated as a UMD-managed Data Center.
Phase 3 - Identity-Based Policy-Driven Networking Implementation
On the new network, network access will be driven by policies and roles that are dynamically assigned based on individual identity and their group membership. As such, there are a few major categories of preparatory work that need to be completed for a successful transition to the next-generation network.
Endpoint Management
Enroll university-owned endpoints in endpoint management systems based on the operating system, if not already done.
- Windows laptops/desktops must be joined to central Active Directory and Intune.
- Mac laptops/desktops must be joined to central JAMF.
Why this is required for the new policy-driven network implementation? DIT needs to be able to push the necessary network configuration ahead of network policy implementation. The configuration requires the installation of a device certificate and a local agent (see below). All of the buildings on campus won’t be switched to the new policy-driven network at the same time. This will happen on a schedule similar to the physical upgrades. In order for devices to function optimally when taken to buildings that have implemented the new policy-driven network, machines need to be configured accordingly. That configuration is only possible once DIT has been able to push the network configurations, which can only be done once the endpoints are joined to Active Directory/Intune or JAMF.
Considering the benefits of completing the migrations and the desire to avoid having this conflict with academic support during the fall semester, DIT’s goal is to complete the endpoint management work by the end of summer 2024 so that the device authentication and user authentication work can follow smoothly. DIT asks for your full support in meeting this goal. Please reach out to the project team if you’d like the project leadership to meet with your unit's leadership for support on this topic.
Device Authentication (Device Certificate)
Institutional devices will be using SecureW2-based EAP-TLS certificates to authenticate onto the network. This means the device will be authenticated and connected to the network prior to users logging in. This will inform the network that the device is managed. DIT will be using an endpoint management system (JAMF, AD/Intune) to push the certificates to the endpoints. As such, being enrolled in endpoint management would be a prerequisite.
User Authentication (OnGuard Local Agent)
Institutional devices will be using ClearPass OnGuard to authenticate users and provide conditional access to university systems and resources. OnGuard determines access based on user identity, in conjunction with device certificates, on university-managed computers. This will inform the network who is using the network. DIT will be using an endpoint management system (JAMF, AD/Intune) to push the OnGuard to the managed endpoints in close collaboration with IT administrators. As such, being enrolled in endpoint management would be a prerequisite.
Network Discovery and Preparation
As part of the preparation process, the project team will work with IT administrators approximately 2 months before phase 3 would be complete in a building to conduct discovery of what’s on the network, special use cases and getting you prepared for the transition of your environment to Policy Driven Networking.
Project Resources
Security
Departmental IT and DIT would have visibility to information needed for administration purposes (patch levels) to help protect the computer and the campus network if there's a high-vulnerability patch needed.
Not exactly. The campus network refresh is all about network modernization, with the goals of improving user experience and performance while at the same time improving overall security. We will be in a much better position regarding NSPM-33 compliance, but it’s not specifically why things are changing.
Computers/Endpoints
IT administrators will have the ability to open resources to campus when registering a device. This will allow students to be able to print.
IT admins would have the ability to register and self certify that the devices are being kept up to date on critical patches. DIT will work with departmental admins to make sure these registered machines have access to necessary resources.
This is true for all university-owned Windows computers capable of being on Active Directory. This is not true for personally owned devices, Mac computers, or Linux machines.
University-owned Windows computers will need to be configured with the Intune system, and university-owned Mac computers will need to be configured with DIT-managed JAMF. This will allow important network configurations to be handled by DIT ahead of building network upgrades.
DIT needs to be able to push the necessary network configuration ahead of network policy implementation. The configuration requires the installation of a device certificate and a local agent.
All of the buildings on campus won’t be switched to the new policy-driven network at the same time. This will happen on a schedule similar to the physical upgrades. In order for devices to function optimally when taken to buildings that have implemented the new policy-driven network, machines need to be configured accordingly. That configuration is only possible once DIT has been able to push the network configurations, which can only be done once the endpoints are joined to enrollment management.
- Once the network configurations have been pushed, faculty and staff will no longer need to enter their username/password to connect to eduroam.
- DIT will be able to share reports for your department well ahead of policy implementation about Windows/Mac machines or users that may not be configured correctly. This gives local IT the maximum amount of time to resolve these issues ahead of policy implementation for your building or department.
- It provides DIT and local IT with visibility into the security posture of Windows and Mac endpoints, helping ensure that unpatched machines aren’t putting the campus network, our users, and/or data at risk. This is particularly important when critical vulnerabilities need to be addressed expediently.
There is flexibility on this topic. Keeping machines updated is an essential aspect of overall network and data security. DIT acknowledges, however, that patching and OS upgrades could disrupt academic and research activities. Departments will have the option for DIT to handle patching and OS upgrades or local departmental IT to handle patching and OS upgrades.
From now through the completion of the network refresh, general network access will not be blocked based on the status of drive encryption. In the future, there will be instances where access to systems with Level 4 data (see UMD Data Classification Standard IT-2) will limit access to university-owned machines with encrypted drives.
University-owned Windows computers that are on central Active Directory and Intune will be automatically configured for network connectivity and access to common departmental network resources like printers. If the machine is not on central Active Directory and Intune, the user will need to register the machine as a BYOD device, limiting access to departmental resources without VPN. In the future, some services may not allow access from devices registered as BYOD devices. For this reason, DIT highly recommends that individuals work with their local IT to ensure their university-owned Windows work computer is configured on central Active Directory and Intune.
University-owned Apple/Mac computers that are on DIT-managed JAMF will be automatically configured for network connectivity and access to common departmental network resources like printers. If the machine is not on DIT-managed JAMF, the user will need to register the machine as a BYOD device, limiting access to departmental resources without VPN. In the future, some services may not allow access from devices registered as BYOD devices. For this reason, DIT highly recommends that individuals work with their local IT to ensure their university-owned Apple/Mac work computer is configured on DIT-managed JAMF.
Departmental Network Switches
Not entirely. Switches that are connected to wall ports and provide wired access to university-owned or BYOD laptops/desktops need to be retired. DIT will work with departments to install the necessary network drops so that these switches aren’t necessary. For clarity, switches used in data centers or computer rooms that are not connected to wall ports are not in scope for replacement.
Devices that are plugged into switches that are in turn plugged into a wall jack likely won't work as expected. If you currently have such a configuration, DIT will meet with you for discovery to determine how to handle this on the new network. We would either activate additional jacks, install additional jacks, or provide explicit exemption based on the use case. Any additional activations or installations would be at no additional cost to the department.
Other
This will be discussed during preparation for the migration. What’s important to understand is that every device on the network today will still be on the network after the campus network refresh. DIT will work closely with departmental IT leads on the appropriate configuration for specialty devices.
Do you have other questions? Please reach out to the project team at CampusNetworkRefresh@umd.edu.
Virtual Office Hours
We have virtual office hours every other Wednesday from 1 until 2 p.m. over Zoom. This is open to everyone who has questions about the project or is interested in the latest developments.
Upcoming Office Hour Sessions for Network Refresh
- May 29
- June 12
- June 26
- July 10
- July 24