Here is a collection of troubleshooting steps we've compiled to help with wifi issues that we've seen after csu-net. These can also be found on the Helpdesk Wifi FAQ page. The site also explains how to forget a network.
1.) Try different locations on campus. Some locations have poorer connection than others.
2.) Check with others to see if there appears to be a wifi outage. You can also see if there are any outages on the System Status Notification site.
3.) Forget csu-net, restart your device, and try to connect again.
4.) Use the manual configuration found on the wireless FAQ where applicable (mostly Android phones, Chromebooks, and Linux).
5.) Go to eid.colostate.edu. Under "Modify your eID", select "Show My Information" and log in WITHOUT using autofill. If you're unable to log in, reset your password (instructions are found here).
6.) Forget the csu-eid and csu-guest networks.
7.) Make sure your computer is up-to-date. The following versions are not able to use csu-net:
MacOS: High Sierra or below.
Windows: Windows 8 or below.
If your Chromebook does not have an option to enter a domain suffix name, it is incompatible.
CSU-EID is being replaced by CSU-NET. It is currently available around most of campus, including the Morgan Library. Here are the important points:
Try forgetting the network so that the user is prompted for their credentials again. If someone just changed their eID password they may have issues connecting to the network.
Try running the XPressConnect Utility.
Try setting up the network profile manually. There are instructions for Windows 10 lower on this page. The required parameters are also located on this page. if the option for PEAP is missing check out this support forum.
Make sure the computer is not using static IP or DNS settings.
Try flushing dns settings and resetting the winsock. This can be done with the following console commands:
ipconfig /flushdns
netsh winsock reset
Try resetting the TCP/IP stack you can either use this fix it tool or do it from command line:
netsh int ip reset resettcpip.txt
Make sure that the computer and the network driver are both up to date.
Try forgetting the network so that the user is prompted for their credentials again. If someone just changed their eID password they may have issues connecting to the network.
Try running the XPressConnect Utility.
Try setting up the network profile manually. The only settings needed to do this on a mac are:
Network Name: csu-eid
Security: WPA/WPA2 Enterprise
Username: eName
Password: eID password
Make sure the Mac is not using statically defined IP or DNS settings
Try changing the location setting. The location setting stores network preferences so creating a new location may allow you to connect to a network.
Make sure there are no old 802.11x profiles. Profiles can found in System Settings>Profiles. Delete all of them and then add the profile and user credentials again using the XPressConnect Utility.
Make sure the computer is up to date.
Try running Onyx. Onyx clears a lot of different system caches and some networking issues can be caused by a cached item.
We do not offically support Linux but we can try to help out if we have extra time.
You can try using the XPressConnect Utility but it is not supported by all Linux distributions.
Most Linux distributions will have a network manager with a user interface that you can use to create a network profile for the csu-eid network. Normally you can just right click on the networking icon on the task bar and select an "Edit Connections" option. From there, you will be able to set up the network profile for csu-eid. Just make sure all the the security settings are correct in the profile.
SSID: csu-eid
Security type: WPA2 Enterprise
Encryption type: AES
Authentication Method: Protected EAP (PEAP)
Phase 2 Authentication: MSCHAPV2
The AddTrust certificate can be downloaded from here. Save it to a location on the computer where it will not be deleted and add it to the network profile.
The Eduroam network is a network that allows anyone from CSU or another participating institution to connect to it using their own account information. This is very convenient when a professor from another university is visiting CSU they can connect to eduroam using their own account credentials, we do not have to give them an eID or a guest account. The eduroam website has automatic configuration tools for CSU and many other universities.
To configure the eduroam network:
Go to https://cat.eduroam.org/ and click "Download your eduroam Installer" at the bottom.
Find CSU in the list of institutions.
Download and run the autoconfiguration tool.
Have the user sign in with eName@colostate.edu as the username and eID password as the password.
If you are helping a user from another University you will need to run their universities installer and have them sign in with their university credentials.
*Update* Here are some new details from NOC on eduroam:
From the GlobalProtect FAQ: https://www.acns.colostate.edu/security/
CSU provides secure off-campus access to on-campus resources via the GlobalProtect gateway, also known as a Virtual Private Network (VPN). GlobalProtect VPN provides a secure and encrypted tunnel between your device and the CSU network that enforces the use of recent, more secure operating system versions. The VPN is reachable via the GlobalProtect desktop client or via the web interface (Fort Collins: gateway.colostate.edu | Pueblo: pueblogateway.colostate.edu).
GlobalProtect replaced Pulse Secure in early Summer of 2022.
The AAR sites no longer need the VPN, and using the VPN while on the sites may cause problems. Have the user attempt to access the site without a VPN.
ACNS provides fiber circuits to some construction trailers around campus. This is typically a CenturyLink service that terminates in Glover and we extend our campus fiber to the trailer so that Century Link (or whoever) can provide Internet service.
As part of that service we must provide support if a networking issues is deemed a problem with the CSU fiber infrastructure. If an issue is reported it will likely be called in as some "networking problem" by some non-CSU entity and we just need to escalate these issues to NOC. There is a specific request type for these issues called Network and Security -> Fiber Break or Problem. When escalating these tickets use this form in the Request Detail:
Contact Full Name:
Contact e-mail:
Contact cell #:
Address of problem:
Description of problem:
When was it confirmed to last work properly?
Be sure to save and email the ticket once it is filled out. NOC needs to respond to these fiber issues in a limited amount of time so we need to make sure the tickets are escalated in a timely manner.
CSU uses DUO Mobile for Two-Factor Authentication. There's an extensive set of video and .pdf guides on the Division website (https://www.acns.colostate.edu/duo/) that people can use to set up DUO for the first time. Staff should be familiar with this, and have gone through the process themselves as students. The DUO section of this site has information on administrating DUO.
To give a brief overview, a new user registering with DUO for the first time will visit the eID website (https://eid.colostate.edu/eIDModify/twofactor.aspx), choose DUO Self-Service in the Modify Your eID menu, log in, and register a 2FA device for the first time. The DUO Mobile App is strongly recommended, and to activate this, users will scan the eID site's generated QR code using DUO Mobile.
After initial setup, users cannot add or change a device without access to a previously registered one. In this case, or in the event of needing another account change like a bypass code or lockout change, we will need to verify their identity and make the necessary changes in DUO Admin. 2FA is vital to information security, and it is very important to follow our policies and procedures.
For issues that we are not able to solve, the Division security team can help. Use the escalation form on this page to submit a ticket, and include as much troubleshooting data as possible, including any changes or observations made in the DUO admin panel.
The following devices can be registered for 2FA:
There is a FAQ page hosted in the DoIT site that will be continuously updated. Here is a collection of random information that may be useful:
If the Duo app is not activating after a user scans the QR code the best thing to do is to just set up the account again. You should be able to verify if the app is activated by looking at the Registered Devices table and seeing if the "Activated" column is set to True. To reset up the account again delete the device from the Registered Devices table, go into the device all clear the cache and local storage for the Duo app. Once that is done, go through the setup process again to activate the device.
Make sure the user is not holding the token upside down. The codes generated when the token is upside down may look like alphanumeric codes. Check to make sure the token is registered to the user's account. The tokens can get out of sync if the button is pressed too many times without a login occurring. If the token is out of sync follow the token resync instructions on this page.
If users try to go to https://www.authenticate.colostate.edu/ they will receive a certificate error message because of the way that site is redirected. If this happens just tell the user to go to www.acns.colostate.edu/duo.
For clients who do not have a DUO-ready device accessible (i.e. Individuals leaving the country or other extraneous circumstances) and are requesting DUO bypass codes, verifying their identity is crucial. Ask the client for their recovery email address and eName, and send these to a full-time employee to check that they match in eIDAdmin.
In instances where the client's phone cannot receive data (often we see this with international numbers) but can receive wifi, we can send the normal DUO activation link through email after verifying their identity. Remind the client to open the link with the phone the activation link was intended for, as trying to open it with a computer, or with another mobile device can cause errors.
If there is an issue that needs to be escalated the problem will need to be sent to the security team (SOC) using the Networking, Security & Wireless request type.
For issues where we have to alter a user's account in any way to give them DUO access, you must verify the user's identity before making any changes. This includes unlocking an account that has reached the auto-lockout threshold, generating a bypass code, or adding/re-adding an authentication method. Make sure that in any of these cases, there is no other option for authentication. DUO's entire purpose is security, so we take this very seriously. You can verify a user's identity in the following ways:
When Duo first prompts, the default device will be the first device the user registered. If they want to change that device or change the order the devices show up we will have to modify the device list in the DUO Admin Console. Just sign into the Duo Admin Console, click on the Users link on the left hand side, search the user's eName to find their account. Once on the account page scroll down to the phone list then simply drag and drop the devices to rearrange them.
Note: This will also change the alias for the device which is what needs to be typed into the GlobalProtect client to initiate a phone call or push notification.
Users will be auto locked out after 10 consecutive unsuccessful attempts to login to DUO. You can see all locked out users on the right side of the Duo Admin Console:
Click on the number to see a list of all locked out users.
If a user on this list is calling, view their user account on Duo to try to figure out why they were locked out and make sure they know why. Once you know you can unlock their account by going to their account page and changing the status from Locked Out to Active:
If a user has been locked out multiple times please notify a manager.
Bypass codes are pre-generated codes that will allow a user to authenticate past Duo without an app, phone, or hardware token. They will only be used in special cases, like when a user is traveling and cannot use their phone or purchase a hardware token.
We can provide Duo bypass codes in the following cases:
Bypass codes are temporary solutions and generally shouldn’t be used for the long term.
Before creating a bypass code in Duo, we need to authenticate the user by verifying their recovery email.
We’ll typically need to change the default settings for generating the bypass code as the user will likely need it for longer than 1 hour. To do this click on Change Options before step 4 and customize accordingly.
We set the expiration time in minutes and usually we allow the bypass code to be reused an unlimited number of times during that time frame. We determine the minimum time frame to have the bypass code active with the user on a case-by-case basis.
Once the code has been generated follow up with the user, tell them the code and how long it’ll be active.
All helpdesk staff are able to resync a hardware token and can do so for remote users.
You will know a token is out of sync if the codes it is generating are not working, the user is not holding the token upside down, and the token's serial number is listed under the user's profile in the Duo admin console.
In order to resync a hardware token log into the DUO admin console. Click on Users, on the right hand side and search for the user by typing in their eName. Click on the user to view their Duo user account. Scroll down to view all of the listed hardware tokens:
Click on the Serial Number of the hardware token to view the details of that token. Click on the Resync Token button in the top right:
Have the user generate 3 codes and enter them in the order they are generated. After you click the resync button the token should be synced.
"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."
Link to the EU site regarding GDPR: https://www.eugdpr.org/
Because this is an EU law, the United States does not have to follow these guidelines. However, companies that do business with EU citizens will have to abide by the policy in some form or fashion or risk legal action.
With this said, CSU is working on a policy to handle data removal requests from EU citizen who are affiliated with the university in some capacity.
We may get emails in our Tech Support queue from individuals requesting their email or personal information be removed from CSU databases. We ultimately want to get these tickets to the SOC so they can handle the data removal if there is any. For the time being, we will categorize the ticket as Helpdesk > Refer to other. Fill out an escalation form like below then put soc@colostate.edu in the CC box. Make sure it's checked before hitting save and email. SOC will get an email with the details and they can take it from there. It should be okay to close the ticket. If SOC has any questions or concerns, they will reply to the ticket and reopen it.
It would be beneficial to search for the client in eID admin before escalating the ticket to check whether or not said client is affiliated with the university. Companies in the EU are getting a lot of phishing/spam emails that request user data to be removed even when they haven't done business with them.
The security group is involved in many different parts of DoIT services. The main services they specifically support are the border firewall (with NOC), the VPN (GlobalProtect/gateway.colostate.edu, previously Pulse Secure/secure.colostate.edu), and the Two-Factor Authentication system (DUO). Information about the Security group/Security services can be found here.
We should always escalate to Level 1 of Networking and Security, using the following escalation form:
Client Name:
Contact Info:
eName:
Status: Pending
Issue:
Escalation: SOC
Staff Members:
Be sure to include as much information about the issue as possible as well as the troubleshooting steps you have already taken. This should include steps like:
If it is a wireless issue get the Wireless M.A.C. address of the computer experiencing issues with the network. Make sure that it is not a network profile issue or just an issue with only one computer.
If it is a wired internet issue get the ethernet port number (they should all be labeled) and the ethernet M.A.C. address on the computer. Make sure that they have confirmed that the data jack has been activated through Telecom and that the jack isn't working with other computers as well. You should ask the local subnet manager to take a look at the port. The list of subnet managers can be found here (wsnet2.colostate.edu/cwis24/acns/SubnetManagers/NetworkList). There may be an issue with the switch the port is hooked up to. If all of that has been checked then you can escalate a ticket to NOC.
