Frequently Asked Questions | Network Access Control

We understand this layer of security may seem complex and we are dedicated to making the transition seamless and transparent.

DH1 Wireless Network FAQs

Windows Pro Devices

Q. Do users need to enroll IT-managed Windows Pro devices in the DH1 wireless network?
A. No, Windows Pro devices that are already managed by your IT support team will automatically be enrolled into DH1 wireless network without any further action required.

Q. Do users need to register user-managed Windows Pro devices in the DH1 wireless network?
A. Yes, personal computers and some vendor computers (some vendor computers reside on other Wi-Fi networks) need to register in the DH1 wireless network.

macOS Devices

Q. Do users need to enroll IT-managed macOS devices in the DH1 wireless network?
A. No, macOS devices that are already managed by JAMF will be enrolled into the DH1 wireless network without any further action required.

Q. Do users need to enroll user-managed macOS devices in the DH1 wireless network?
A. Users have two options:

Move user-managed macOS device to IT-managed for full management.
Self-enroll in JAMF for user-managed macOS devices.

Not Supported Operating System

Android
ChromeOS
iOS
Windows Home
Linux
Unix

Disconnecting Windows User-Managed Devices

Q. Is it possible to disconnect from DH1 and remove the NAC-managed applications from a Windows user-managed device?
A. Yes, NAC-managed applications can be removed by disconnecting from the DH1 wireless network. There is a KB in ServiceNow for "Crowdstrike Falcon Removal" - KB0035507. You will need to put in a Service Now request to Security-DHTS, requesting an uninstall token for Crowdstrike.

IT/Technical Support FAQs

Q. What version of Linux does NAC support?
A.

X86-64 Linux Distribution
Ubuntu with Unity*
Mint with Cinnamon
Debian with Gnome
Kubuntu with KDE
Xbuntu with XFCE
Lubuntu with LXQt
Fedora with Gnome
RHEL with Gnome
CentOS with Gnome

Not supported on 32-bit systems. Note: Compatibility on all distributions is not guaranteed.

Q. We have a USB adapter for building/re-imaging hosts, can that be whitelisted?
A. NAC does not see the USB build stick. The device comes up as a rogue but is able to get to the build servers.

Q. Will the NAC posture checking add to the network switching delays that occur when someone docks/undocks their laptop?
A. The posture check will not add a delay in the network switching from wireless to wired when docking or from wired to wireless when undocking.

Q. Is there a way to register a USB dongle, for those time we are imaging or setting up a new laptop?
A. We worked with Engineering Services Managed Device engineers on the build process in an enforced environment.

Q. How is this going to impact MACs setup via the DEP process?
A. We worked with Engineering Services Managed Device engineers on the build process to ensure the DEP process works in an enforced environment.

Q. What is the user experience if/when NAC is down?
A. If the NAC system fails, the switch ports will fail to its default Vlan.

Q. Will there be training done for Duke Health Service Desks analysts?
A. Yes, during this enforcement readiness initiative here at Hock we are gathering what training information is needed.

Q. ESXi OS should be planned for as well?
A. ESXI is not currently supported for the NAC agent. It will have to be made an exception with security and get registered in NAC.

Q. What is the scope of the roll out for NAC?
A. At this time there is no roll out timeline. Prior to going to an area though we will be working with IT support staff to make sure all devices are registered.

Q. What about devices that are not managed PC/Macs?
A. Prior to going to an area though we will be working with IT support staff to make sure all devices are registered.

Q. How will NAC work across a desktop non-manage switch? Will it be allowed or will the switch have to be replaced?
A. NAC will consider this a rogue device. We will work with the IT person for your area prior to enforcement to address these rogues. If you are using a non-managed switch on your desktop for some reason, we are pointing users with these devices to ISO to review and provide approval to allow on the network.

Q. If a previously patched device gets put in the remediation, is there some kind a of notification that would go out alerting us?
A. At this time, NAC will not be checking patch levels. The demo showed devices that go into remediation and provide a report to show the compliance issue that needs to be addressed.

Q. Will a device that is at a different patch (OS) level would be allowed on the network via NAC?
A. NAC will be looking at OS’s that are patchable not at specific patches.

Q. Will the guest network allow the PC or device to access backend applications until they are complaint with NAC?
A. No, the guest network will have internet access only.

Q. Will more time be granted if the area has a lot of machines to add to NAC?
A. We are still determining what is the appropriate amount of time with IT support groups.

Q. Will FS and Clinical services be going around and making sure existing PCs and equipment attached to the network (like CT scanners) are enrolled into the NAC? What are the expectations from the application owners stand point?
A. The NAC team has worked diligently to profile standard gear such as laptops, IP phones, printers, etc. and ensure NAC recognizes them. We ask that as an application owner, if you have a question as to whether a device is already profiled in NAC, please reach out to Colin McNevin to verify or work to get it added. Colin will know best if CT scanners have been profiled already.

Q. Is it possible for NAC to interfere with large file transfers to a removable USB device?
A. NAC does not see or interfere with transferring data to a USB drive.

Wired NAC

Q. What is Network Access Control (NAC)?
A. Network Access Control (NAC) implements a solution that makes sure IT-managed and user-managed devices connected by an ethernet cable to the Duke Health network meet security requirements.

Q. What is the difference between "IT-Managed" and "User-Managed" devices?
A. IT-Managed devices are Duke-owned and maintained by DHTS or another IT support group. A majority of devices are IT-Managed. User-managed devices either personal-owned or Duke-owned and maintained solely by the user (i.e. Does not use IT services to manage device). Note: A limited number of employees manage their own devices.

Q. What does NAC do?
A. NAC software resides on devices, such as computers, to increase security of the Duke Health Network. NAC registers, authenticates and scans devices to guard against threats to the network.

Q. What are examples of wired devices that may be blocked from network access if not registered or prepared for NAC implementation?
A.

Desktop computers
Laptop computers
Microscopes
Video cameras
Personal devices connected to the network and not registered with NAC

Q. When working off-site, do I need to connect to NAC remotely?
A. No, NAC does not require a special remote connection. It is only used to help authenticate, assess, and authorize a device to gain access onto the Duke Health network.

Q. Do I need to prepare for NAC?
A. If you use an IT-Managed device, it will be registered and updated with NAC software automatically. If you would like to check if your device is NAC ready, follow the steps in this document. If you use a User-Managed device, please follow the steps on the "Wired" page to register and ensure your device meets anti-virus and operating system requirements.

Q. What happens if my device is not registered or meets requirements?
A. The device will be permitted to connect to the Duke Health network as a "guest" but will not have full access to the network.

Q. What version of Linux does NAC support?
A.

X86-64 Linux Distribution
Ubuntu with Unity*
Mint with Cinnamon
Debian with Gnome
Kubuntu with KDE
Xbuntu with XFCE
Lubuntu with LXQt
Fedora with Gnome
RHEL with Gnome
CentOS with Gnome

Not supported on 32-bit systems. Note: Compatibility on all distributions is not guaranteed.

Q. We have a USB adapter for building/re-imaging hosts, can that be whitelisted?
A. NAC does not see the USB build stick. The device comes up as a rogue but is able to get to the build servers.

Q. What is the user experience if/when NAC is down?
A. If the NAC system fails, the switch ports will fail to its default Vlan.

Q. ESXi OS should be planned for as well?
A. ESXI is not currently supported for the NAC agent. It will have to be made an exception with security and get registered in NAC.

Q. How will NAC work across a desktop non-manage switch? Will it be allowed or will the switch have to be replaced?
A. NAC will consider this a rogue device. If you are using a non-managed switch on your desktop for some reason, we are pointing users with these devices to ISO to review and provide approval to allow on the network.

Q. Will a device that is at a different patch (OS) level would be allowed on the network via NAC?
A. NAC will be looking at operating systems that are patchable not at specific patches.

Q. Will the guest network allow the PC or device to access backend applications until they are complaint with NAC?
A. No, the guest network will have internet access only.

Q. Is it possible for NAC to interfere with large file transfers to a removable USB device?
A. NAC does not see or interfere with transferring data to a USB drive.

VPN NAC

Q. Help! I'm getting certificate errors from my apps when I connect to the VPN. What do I do?
A. This is normal and can be corrected. In order to comply with Duke Health security requirements, access to the Duke Health VPN is now being enforced by Network Access Control (NAC). All computers connecting to the Duke Health VPN must meet the following criteria in order to successfully connect:

The NAC agent must be installed on the connecting computer.
The computer must pass the NAC posture scan which verifies approved antivirus software and patchable operating system.

Be sure to close all open applications before connecting to the Duke Health VPN. Connecting to the VPN may take up to 30 seconds for the NAC system to posture test the computer. Once successfully connected, feel free to reopen your apps.

Q. Does the VPN Support Chromebooks or Mobile Devices?
A. No, NAC on the VPN only supports devices that can install the NAC agent. Currently the NAC agent is only available for MAC, Windows, and Linux OS devices.

Miscellaneous

Q. What will happen to the other wireless networks like Hearts, Spades, etc.?
A. These networks will remain in use at this time. DH1 is only replacing the Clubs wireless network. Note: Clubs wireless network will be removed by June 30, 2022.

Q. How do you register a smartphone, tablet, or iPad to DH1?
A. These devices will NOT connect to DH1. They will need to be configured for Aces or Guest.

Q. Is DH1 the same as Aces?
A. No, DH1 and Aces are different wireless networks.

Q. Are Intune & JAMF ready for production?
A. Yes, they are currently being used in production for other service offerings.

Q. Is JAMF the Trinity instance?
A. Yes, we are utilizing the “casper.trinity.duke.edu” instance hosted by OIT.

Q. Why is BigFix being installed?
A. BigFix is being installed for device reporting purposes.

Q. Where can I direct any questions specific to Intune or JAMF?
A. Users can open a request with Engineering Services Managed Devices with specific questions.

Q. How will legacy Windows 7 devices be configured?
A. Legacy Windows 7 devices will need to be assessed on a case-by-case basis. The use case of the device will need to be determined and if it should be configured for a different wireless network.

Q. How are device SSL certificates updated when they expire?
A. The device SSL certificate will get updated automatically starting 60 days prior to expiring, as long as the device connects to the Internet or Duke Health network.

Q. How do users enroll multi-user devices and device SSL certificates?
A. These devices will need to be IT-managed Windows devices, supported by your local IT Support Team.

Q. Can someone that does not have a NetID register a device for DH1 and receive an SSL certificate?
A. No, users must have a NetID to access DH1. The Duke Health Guest wireless network is available to anyone.

Q. Is the DH1 wireless network going to be available at the Student Health Center?
A. Yes, DH1 will be available at the Student Health Center.