Solution For College's Bad Network Policy? 699
DAMN MY LIFE writes "I'm going to Central Michigan University in the fall. Upon examination of their poorly organized network usage policies, I'm worried that using their internet service will expose my web browsing habits, emails, and most importantly, passwords. Another concern I have is the 'Client Security Agent' that students are required to install and leave on their systems to use the network. Through this application, the IT department scans everyone's computer for what they claim are network security purposes. Of course, scanning a person's hard drive can turn up all kinds of things that are personal. Do all colleges have such extreme measures in place? Is there any way that I can avoid this? There are no wireless broadband providers available in the area, I already checked."
No. (Score:4, Informative)
Do all colleges have such extreme measures in place?
No, mine doesn't. Technically we just have to have antivirus software installed, and keep up with MS's security patches, and they really don't ever even check for those.
That's insane. (Score:5, Informative)
Dude, I don't know what to say, that's insane. The only suggestion I have is to either not use the Internet on your personal computer or find another university to go to. sigh... Looks like along with all the other stuff that determines what school a kid goes to, we're going to have to add "how screwed up is your Internet access policy?" to the list.
Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!
Looks to me like a clear-cut case of some overzealous IT goob forgotting who is paying whose salary. I'm not saying that you're the Chairman of the Board, but you most certainly should expect to have the right to have full access to this academic resource without this kind of burden.
As a practical matter, you could just call up their IT department and tell them that you have a Linux box, even if you have Windows, and that your machine doesn't run their "Client Security Agent." Whatever they tell you to do to get on the network, just do that on your Windows machine and be done with it. If they tell you that it can't be done, seriously. Go somewhere else. If this university is that stupid, you shouldn't particularly want a diploma from there anyway.
If you do call them up and ask about Macs and Linux machines, let us know what they say.
Mod Parent Up Please! :) (Score:5, Informative)
E
I had the same problem (Score:5, Informative)
1) The clean access agent only actually requires that you "authenticate" as clean to the network about once every two weeks. I installed a copy of Windows on a small partition at the end of my drive, put the clean access agent on it and authenticated myself. Whenever I was "cut off" from the network, I would reboot into the other (isolated) Windows partition (make sure your actual in-use partitions aren't mounted), do a scan to regain access and then reboot again. Worked reasonably well.
2) Because our network was so slow, I eventually decided that it wasn't worth the trouble. In the residence I was in the phones were provided by the local phone company and the cable was provided by the local cable company. It was a bit of a grey area regarding the policies in place in the residence, but I was able to have cable internet installed directly into my room. Perhaps you can do the same?
Re:Mod Parent Up Please! :) (Score:5, Informative)
Yep and you could run windows in a virtual machine with NAT setup and the client installed. That way, they'd get to scan "your machine" but wouldn't be able to access anything on the Linux side.
Re:Sandbox it with Sandboxie (Score:3, Informative)
Re:Use a VM (Score:4, Informative)
That may not work if the network authenticates against your MAC address.
My experiences in Truman, MO (Score:2, Informative)
We have it here too.
The "Clean Security Agent," if I'm not wrong, is the Cisco Clean Access Agent [wikipedia.org] that comes with the Cisco NAC Appilance, which runs on Windows only, and is a pain esp. for those who are running Vista. This beast have to run under Administrator privilesges and pops up a login window everytime you connect back to the network, and doesn't even want to accept certain types of Anti-virus software (such as Avira.)
Workaround: It doesn't run on Mac and Linux. If you use WIndows, you can convince the NAC you're using Linux and it will believe it until the appliance gets restarted. If you have Linux - great, the NAC just let you pass through. If you have Windows, Kevin [sourceforge.net], a program with a great icon, used to work but recently it didn't, but there is always an easy way to get over it: boot into Linux and fire up firefox and click on a link, and then boot back to Windows.
And just FYI: Due to an insane number of complaints received from the students, the IT Staff over here is getting rid of the Cisco CCA this summer :-)
Re:Use a VM (Score:2, Informative)
Re:Mod Parent Up Please! :) (Score:3, Informative)
Of course, other silly Windows programs, like SolidWorks, PSpice, Photoshop won't run either. Might make certain classes difficult depending on your major, though I'm sure it can be worked around. In the worst case, you could keep a Windows partition specifically for essential programs.
Re:Use a VM (Score:2, Informative)
That'd be stupid, it can be easily faked.
I've secured school networks with 802.1x and EAP-TLS. Works fine - and VLAN assignment works automatically, depending on the computer plugged in.
Re:Mod Parent Up Please! :) (Score:3, Informative)
Can't tether there. (Score:3, Informative)
Get a cellphone plan. Ensure that your phone supports "Tethering".
From the summary: "There are no wireless broadband providers available in the area, I already checked." Therefore, we can assume that none of the available phones support tethering.
Re:That's insane. (Score:5, Informative)
That being said, this is for windows only. Mac and Linux are only single time scans (for what, I do not know), and after that your MAC is white listed with your ID. The beauty is that once registered, it's MAC specific, not OS. I should note that our provider is promising a Client Security Agent for Mac soon, but I doubt a Linux one is coming.
Both CYA & BS (Score:3, Informative)
I am assuming that you will be living in the dorm, otherwise the CMU website gives a list of ISPs. http://www.oit.cmich.edu/it/it_isps.asp [cmich.edu] The list includes mobile broadband cards from Sprint, etc., so I'm not sure what you mean by no wireless broadband providers, though this would be a huge downgrade from the internet speed you can probably get on campus.
The Acceptable Use Policy looks to be general CYA boilerplate B.S. which lets you know that you have some expectations of privacy, but don't hold your breath if there's a subpoena or other legal action trying to get the data. As to the CSA, this appears to be an overreaction to the perceived security risks of Windows systems. On the other hand, bandwidth is expensive, and the IT department may have decided that this is a good way to prevent the spread of viruses and bots on the campus network. All of this is probably academic as it doesn't look like it's Windows only. http://www.oit.cmich.edu/faq/faq_network_dialup.asp#get [cmich.edu] Mac or Linux should probably work.
Re:Sandbox it with Sandboxie (Score:3, Informative)
Re:My Solution (Score:5, Informative)
McAfee? Wow.
I happen to do a little work for a local in a town that some of us are familiar with [annarbor.org]. She happens to be involved with the local university [umich.edu] who also uses McAfee as their supported antivirus solution. I got called in a panic by this person because her system was crazy infected. It turned out that the infection disabled the McAfee framework service (which can't be started in safe mode) and totally owned her laptop.
The reason? The updates stopped working [umich.edu]. I opted to put AVG free on there asked her to try it out, and if she wanted to we could look into purchasing the more complete suite if she wanted.
Point of the story? I'm rather upset that CMU, or other schools would *force* a particular AV solution. I'm more upset that they force down one that has, IMHO, a critical flaw in design. Namely, you can't update, install, or uninstall the scanner in safe mode (yes, safe mode with networking). It just sets up too easily for a massive infection. Fortunately, the policy of the University I mentioned earlier did not have restrictions on AV, so this was still acceptable.
I don't know what deal McAfee has with pretty much everyone that provides AV to "non-commercial" users... but I find it terrible, resource intensive, and just too easy to knock out.
Waaah. (Score:5, Informative)
Simply put, their network, their rules. When you're paying, you can decide the rules you follow, and deal with the consequences if you break some other major rules (laws). If you don't like their rules, complain to them, or go elsewhere. Not like you're forced to stay. Attempting to side-step the rules (especially publicly on slashdot, you know someone in the IT department at your university reads this site) is a very bad plan. Unless if you happen to be a random genius at network security (and if you're asking us, you aren't), you will not outsmart your school's IT department. This isn't high school anymore, where renaming forbidden
Re:My experiences in Truman, MO (Score:2, Informative)
Re:There's a get out (Score:4, Informative)
Re:Linux (Score:5, Informative)
My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.
Turns out, a couple weeks in and they completely dropped the policy.
On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.
Re:That's insane. (Score:5, Informative)
Re:Tether. (Score:1, Informative)
The problem I've seen with some tether plans are that they have low(depending on what you are using it for) monthly data transfers.
AT&T for example seems to have 5 GB included with every tether plan with $0.00048/KB ($0.49/MB) if you exceed it.
5GB in a month is an average (30 day/month here) transfer of 2.0 kB/second.
And I've had months with a parent downloading 100GB of audio books (librivox, free audio books of books in the public domain).
Heck, the suggested sizes page for AT&T has a 2 hour movie from iTunes @ 1.5GB. If you watch more than 3 a month you have a problem.
A thought, see if you can get a dial up connection to some ISP. With a 56kb connection you should be able to get about 4-5kB/sec download rate(best I've seen IIRC). If you never use the phone for any other purpose, it would be cheaper for the (using 4.5kB/sec, 30 days) 11.1 GB of transfer. If you used the cell phone plan, 5GB + 6.1GB, it would be the base cost + $3070 + taxes.
Now, I know for AT&T if you don't have tether in your plan it is unlimited data, but the terms seem to suggest that if you exceed 5GB they can slap a charge on you.
Re:Mod Parent Up Please! :) (Score:5, Informative)
Re:That's insane. (Score:2, Informative)
http://www.bradfordnetworks.com/board/board.cgi?id=CM_CaseStudy&action=download&gul=32 [bradfordnetworks.com]
you can read about CMU's Agent here.
It's so simple (Score:3, Informative)
Let me see if I have this right...
You want us to tell you how to hack around the network/security/TOS of your university?
How about this observation from someone that also runs a network for students:
Comply with the policy when you use their infrastructure.
Now, how to go about that without invading your privacy? Easy - dual boot with encrypted file systems on the second partition. Keep pablum on the system you use to access their infrastructure. Keep your other stuff on a system you don't bring up using their infrastructure. Simple. If you don't want your browsing habits known (which I don't believe for a second they give a fart about), then go to a cyber cafe or something when you want to do things you don't want known.
Their network = their rules.
And for those that want to pick holes in their policies/make fun of how incompentent they are:
1. Not everytime do I tell my management team better ways to do what they want to do. Sometimes I think management is full of it. Now, if they ASK me, I have to tell them. But I don't have to open my big fat yap - and I don't, when I think they are being silly.
2. Not every "bone headed move" is all that bone headed. You need to be in the room to see why some direction was chosen. Sometimes it's stupidity, sometimes it a comprimise between time, money, resources, and what you really need to do. The old web blocking software wasn't very good at blocking http proxies. We simply didn't have the money or time to cobble up something better. All the people that knew this thought we were incompentent because it was so easy to get around the blocking software. The new software is very good at blocking that and a lot of other tricks. Our network = our rules. You're free to visit sites we don't like - on your own time, on your own network infrastructure, using your own computer. (Not that I agree with the policy, but it IS their network funded with tax dollars and subject to state law which requires web blocking software. Grow up and deal with it, change state law, or use your own stuff to do what they don't like.)
3. Get used to someone looking over your shoulder vis-a-vi computing. Employers are increasingly doing it, public institutions are required to do it, and others do it simply because they can. Failing to learn how to keep your stuff private is an invatation to these jerks to invade your privacy - so learn to make it difficult for them to do so. The first step in this process is to know that when you use someone else's network, computers, or infrastructure, they have a say in how that gets used. When you're on your own network, own computer, and own internet connection, THEN you can expect some privacy... if you're smart and use care.
Re:You're not as interesting as you think you are (Score:1, Informative)
QOS was invented for a reason - try using it rather than requiring people to install crap on their machines they have no reason to trust.
http://en.wikipedia.org/wiki/Qos [wikipedia.org]
Re:I had the same problem (Score:3, Informative)
Yea, in response to number 2:
My university (Penn State) has free telephone to every room, and the copper goes straight to the phone company. They actually tell you at the orientation stuff that you can go ahead and get DSL to your dorm if you don't like their network setup. Some people do, though not many. Though their network policy isn't bad...just a 4GB weekly bandwidth limit.
Re:Mod Parent Up Please! :) (Score:2, Informative)
Perhaps the security agent could be run in a WinJail [winquota.com] install.
Or virtualization solution like iCore Virtual Accounts.
Or inside a VMware Virtual Machine configured for NAT or on another desktop machine configured for bridging (if you have two).
Depending on if the identification of the security agent is by port or by MAC address...
You could conceivably load up the VM once to run the security agent when you turned up the port, then shutdown the VM and temporarily change your MAC address to the VM's former MAC address if necessary.
Re:Computer science major (Score:3, Informative)
This has come up before... When I was at CMU (cmu.edu), Central Michigan University sued for the rights to the acronym and won. That's why you will only find t-shirts, hats, etc. with "Carnegie Mellon" written on them now. We got to keep the domain name as part of the deal.
So, it doesn't surprise me that they have CMU all over their site and whatnot, but whenever I say "CMU" people always know which school I mean :)
Re:That's STILL insane. (Score:4, Informative)
So, I would argue that they do, in fact, have every right to require it of you. You're using their network in a way that they don't have explicit control over, when they are providing you otherwise with the necessary resources for your classes. Sounds like a privilege to me, and if you want to use it, you need to play by their rules. Not that I personally like that idea, of course, but it's what I see as being the reality of the situation.
Also, at least at my school, the CSA came into place very shortly after one of those major worm outbreaks in 2002 or 2003. I remember hearing that around 95% of the network traffic was being generated by the worm, and that the entire university was basically suffering the effects of a DoS attack for the better part of a month since very few of the students' PCs were protected by proper AV and anti-malware software at that time. From then on, practicality alone dictated that they forced the students to install AV software and that they routinely ensure that it's still there.
Re:Don't use their network? (Score:5, Informative)
When I was in the dorms at my school, a guy maintained an InstallVise installer, which contained the proper registry keys to change window's MTU, and
a greasemoney script which spoofed firefox's user agent and platform, so windows machines looked to be running linux.
After seeing someone with a similar solution get kicked out of another school, being published on slashdot, and knowledge that my school's IT dept was searching
for the maintainer, he stopped.
Clean Access now uses a java jar, for the linux platform. If your school's client has something similar in place for linux users, I suggest that you find a Computer Science student,
and ask them to decompile the jar, using the DJ Java Decompiler, and create a greasemoney script that uses a similar method of generating a session key. You'd also probably need
the special registry keys, which can be found in the source code for sec_cloak.c, which you should be able to find on google.
Hope I could help.
Re:Use a VM (Score:4, Informative)
And then you set up the internal VM as a proxy, and you proxy your main computer's internet through the VM. Bam, problem solved.
Seriously, think these things through.
Re:You're not as interesting as you think you are (Score:1, Informative)
I can't help but feel you might not have explored all of the available options. Some campuses have competent administrators and use traffic shaping and network level threat detection (with auto-shutoff).
Re:Computer science major (Score:2, Informative)
Not that disingenuous.
They were created before Carnegie Mellon, also, Carnegie Mellon University did not get that name until 1965. Central Michigan University got its name in 1959.
And central Mich called themselves CMU pretty much from the beginning. So Carnegie Mellon has no more right to the name than they have.
Also, Carnegie Mellon, in their identity guideliness [cmu.edu] specifically say not to use "CMU". Instead they use CarnegieMellon as in WikiText or C++ CamelCase.
In other words, Central Michigan University calls them that, Carnegie Mellon does not say they are CMU. The only thing they need to fix is their domain name...
However, it's a 3 letter domain name, and pretty darn cool to have one. Noone wants to have to type http://carnegiemellon.edu/ [carnegiemellon.edu]
Re:No. (Score:1, Informative)
Skype is a P2P program and it becomes a router when run. It uses up allot of bandwidth and cpu. This is why I dont use it at all ever. First I did not want to allow it to use up my bandwidth that im paying for to route other peoples traffic on behalf of the skype owners, also for legal reasons. Secondly I do not know what the number crunching skype does when it thinks im away from my computer. What it reencrypts the traffic? Cracks codes for some bisarre security service somewhere?
Re:Linux (Score:5, Informative)
My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.
As an IT employee at Ohio State, I can assure you that there is more of this in the pipeline since it's mandated by the Board of Trustees.
I can't see comparing what is going on at OSU with what the OP reports at CMU -- Ohio State's efforts to lock down the network and restricted data are quite comprehensive [osu.edu] and IT staff, like you, are concerned that it's done properly. Mac/Linux support is on the way -- most vendors do not support it so it's quite difficult for the University to support it. The scanners they run on your computer are not there to look at your personal files, track down copyright infringement, or anything else you might be worried about -- they simply look for OS/software patches and run an anti-virus/malware scan. If you don't run the scan with the agent, you will not have any network access. If you take some of the suggestions here and bypass the security agent, you are violating the AUP [osu.edu] and, if caught, could face academic misconduct charges.
I can assure you that the University's IT office is underfunded enough that even if they wanted to go out of their way to scan your computer for anything else (they do not), they would not be able to.
On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.
This isn't magic -- they run typical network vulnerability scanners [nessus.org] and block you if a virus or bot responds from your IP. DHCP and switch info tells them your mac address.
2 computer solution... the better one (Score:4, Informative)
Then just enable internet connection sharing, and connect your good laptop. Simple!
If they are into packet sniffing, just use ssh tunnel for the traffic
Comment removed (Score:5, Informative)
Another solution that hasn't been suggested yet (Score:4, Informative)
Okay, so it's not ideal, but here's what you can do that doesn't require running a virtual machine on your primary PC, or a dual-boot-into-Windows to run the scanner/authenticator software every once in a while scenario:
Get yourself a cheap-ass PC. Throw two ethernet NICs in it. Install a new copy of Windows XP, and any software that your campus IT staff require to be installed on there. Then run Windows XP Internet Connection Sharing (ICS) on the unused ethernet adapter. (ICS is a small DHCP server + NAT engine built into Windows.) Plug that into a switch along with your main computer or computers, and use the XP box running ICS as your router.
Then from the university's perspective, you have a single Windows XP box hooked up which is clean and conforms to their standards for network access. Unless the software that you need to install prohibits ICS from functioning, and there is no way around the artificial restriction, they won't know about the PC or PCs you have running behind the ICS machine.
That sucks... (Score:2, Informative)
It's pretty different over here in Germany. We don't have a campus, but the local technical university (RWTH Aachen) provides internet access to most of the student appartment complexes (there's quite a few of 'em) and WiFi access points all over the city (basically if you're downtown, you can get a signal at least 50% of the time). Quite a few ports are blocked (pretty much everything non-standard), but you don't have to install any software and it's hella fast (IIRC the university has its own connection right into a backbone - or something like that - I just remember making a hell of a :o face when I realized my download speeds from Rapidshare were being capped by the 100mbit ethernet connection...).
Now, there's a _lot_ of students on that network. Everyone working or studying at the university has access. All you need to do is connect to the WiFi network (authentication via certificate and PEAP) via any old wireless client (hell, even my WM6.1 phone works)... I'd estimate that the whole network has 10k+ users - now how do they manage to do all this without using client scanning software? I'm sure there's a lot of malware-infected systems on the network, but the network seems to be secure enough to handle it. Maybe it's just a question of competent IT staff?
I'm not exactly up-to-date on the technical side of securing a network, but as far as I can tell, it's possible without the massive intrusion upon users' privacy that's described in the summary...
Re:Mod Parent Up Please! :) (Score:3, Informative)
At my university, they explicitly exempt Macs and Linux from having to use Cisco Clean Access. They port scan the Linux / Mac box, and use network level checks to make sure your computer is secure (or at least appears secure.)
The big problems are with Windows. With a campus as big as ours, all Windows boxes must run an up to date virus scanner. This policy must be enforced. To do otherwise is just stupid. Every computer, even Linux machines, are continuously being probed looking for vulnerable ports. People have targeted our university with custom spam, and custom port scanning attacks. Machines from senior staff have gotten virus infected, even when running current anti-virus software, and have been used to distribute spam. Users are also stupid. One inadvertently used a restricted access mailing list to spam the entire university, ironically with a complaint saying "Stop Spamming Me!"
With 20,000+ PCs on the network, bad things happen.
Re:Linux (Score:2, Informative)
Re:Solution For College's Bad Network Policy? (Score:2, Informative)
Maybe VMware Thinapp in Sandbox mode?
Re:Solution For College's Bad Network Policy? (Score:5, Informative)
Maybe VMware Thinapp in Sandbox mode?
Or just give them a full-blown VM with an installation of XP and nothing else.
Set up the physical network interface so that only the VM uses it, and use virtual interfaces to route from the host OS to the VM and then out to the network.
You can run a NAT firewall (XP's connection sharing might be good enough) on the VM.
If you are feeling ultra-paranoid you could install typical applications in there too, like MS Office, etc. So if they look at everything on the VM it will look like a regular college-kid computer, but unless they are really smart they will never know that the "real" computer is just using the VM to NAT out to their network.
Re:Another solution that hasn't been suggested yet (Score:3, Informative)
Except that the link in TFA for the CSA clearly says "Remove Network Bridging" which would include Internet Connection Sharing.
Re:Solution For College's Bad Network Policy? (Score:3, Informative)
A technical solution that "gets around" it will most likely get you suspended; it's happened before:
http://it.slashdot.org/article.pl?sid=07/04/27/203232 [slashdot.org]
(and a good friend of mine who was a professor also was denied tenure over this incident). Sadly IT at universities tends to be a little kingdom of people who think they are more important than everything else going on - in fact, this isn't just at universities...
The best thing you can do is go to the dean of the school you're planning to attend and say, "gee, I was really looking forward to attending your university, but I will not attend if I have to install this monitoring software to use the network.".
Deans care a whole lot about enrollment numbers and having good students and if they are going to lose good student due to a stupid policy, there will be pressure to alter the policy or at least grant an exception.
Good luck.
Re:Solution For College's Bad Network Policy? (Score:3, Informative)
You probably think that's funny, but I appled to and got accepted to Central Michigan University in 2001 and decided not to attend because of a bad conversation with a sysadmin where he told me students should not have the ability to host any type of content. I went to (relatively) neighboring Grand Vallley State University (gvsu.edu) instead, and I'm glad I did.
Re:Solution For College's Bad Network Policy? (Score:3, Informative)
Which appears to require MS Windows.
Given the the classicly high rate of computer infection among teens, this could be make sense for the school administration. Of course, it might be easier if they just required everyone to just get a Mac.
Re:Solution For College's Bad Network Policy? (Score:3, Informative)
I didnt major in CS but all of the classes I took, except for the first intro sequence class (which was Dr. Scheme on OSX because the lab was larger) were run from the standpoint of linux (the lab machines ran debian but a lot of people went for their own installs or made OSX work for some stuff).
The classes I took started in Scheme (Common Lisp would have worked but DrScheme was a good teaching environment). They then pushed into C with some bash stuff thrown in occasionally. The systems class was (obviously) done in C. Other sequences threw in Python at some point and my understanding was that the later classes were open to language choice for the most part (your group has to agree on something, and the professor may provide code samples in Java but as long as you could do the projects, you should be fine).
As to art...I just finished an art class where most of my final project was conducted through an ssh terminal on one of those aforementioned linux maxhines (I had need for both the dual xeons and the gigabit academic connection vs my eeepc and cable modem). Project ended up involving a bunch of coding in Python on the data end and Processing (a java extension for artists) on the display/rendering side.
I haven't once seen .Net in use and I am still not entirely sure how one properly writes a program for windows since c:\gcc gets an unrecognized command
Its Bradford Campus Manager (Score:1, Informative)
Looking at the link the OP provided, his school is using Bradford Campus Manager as its NAC solution. Having used the product myself, I can tell you a few things about it.
1. If your school has the latest release, the agent runs on Windows/Mac and Linux. So using Linux will not get you around it.
2. The agent scans for Antivirus, Antispyware and patch level compliance for the OS. It also has the capability to scan for a certain process or registry key. Most deployments only make use of the first 3 functions. The administrators have no ability to look at your documents using the agent. There is no feedback from the client to the admins beyond what its scanning for
3. The agent includes a messaging feature which is pretty useful actually. It allows the admins to send messages to any and all agents on PCs connected to their network. They could make use of that to let you know when the network is going down or for an emergency alert system, like an armed intruder on campus.
There is no reason to be paranoid though. I used to run this solution on my campus for a year (we stopped because the remediation process is via vlan switching which can be cumbersome) and its one of the less intrusive nac solutions that a university can deploy. A lot less intrusive than cisco clean access for example.