Skip to main content Skip to navigation
Washington State University
Information Technology Services

Role-Based Networking

What is Role-Based Networking?

Role-based networks are small networks that are built to serve a specific function or set of users, as compared to large, general-purpose building networks. Role-based networks are helpful to simplify firewall Access Control Lists (ACLs), manage customer devices, and in some cases, to segment network traffic.

What types of Role-Based Networks are currently available?

  • Role-Based VPN services (available 6/10/2020)
  • Role-Based wired networks (available 9/1/2020)
  • Role-Based wireless networks (available 7/1/2021)

What is a Role-Based network service?

Role-based network service creates a small network that only your customers land in.

For VPN and wireless role-based service, access is managed by an AD security group within your Business Unit’s OU that controls which of your customers can access your services. Once users are added to your security group for your role-based network, the user will obtain an IP address in your role-based network.

For wired role-based service, access is controlled at the jack level. Only jacks designed by you are moved to the new VLAN.

What are the technical details for the Role-Based network services?

  • /22’s, which support up to 1000 concurrent customers (Wireless only)
  • /23’s, which support up to 500 concurrent customers (Wireless only)
  • /24’s, which support up to 250 concurrent customers (VPN, Wired, and Wireless)
  • /25’s, which support up to 120 concurrent customers (VPN, Wired, and Wireless)
  • /26’s, which support up to 60 concurrent customers (VPN, Wired, and Wireless)

Each role-based network will be in private IP space and will have a dedicated NAT IP. The private client IP will be within your role-based network, and outbound traffic will NAT using your dedicated IP address.

Role-based networks utilize DHCP. DHCP reservations can be made for wired and wireless clients only. Access can be delegated to the unit to manage the role-based network IP space allocated to the unit.

DHCP reservations are not available for the role-based VPN service.

What are the current restrictions on Role-Based network services?

We are currently limiting role-based network service to requests that segment users along high-level organizational boundaries (i.e., Area and Department) or to support those users and systems subject to external audit requirements. Once these initial needs are met, we will expand the service to support more granular networks.

Additionally, if ITS runs low on available networks, ITS reserves the right to re-assign networks whose 12-month rolling average usage of IP addresses drops below 25%.

Finally, ITS will never resize a role-based network. If a new network size is needed, ITS will allocate a new network.

How do I submit a request for a Role-Based network service?

To request a role-based VPN service, complete the Role Based Network Request form with the following information:

  • The Canonical Name (CN) of the security group in your OU that you wish to use to manage authorized users of your role-based network (VPN and wireless only)
  • The size of the network you are requesting (options are listed below by service offering)
    • Role-Based Network ServiceNetwork Size Options
      VPN/24, /25, /26
      Wired/24, /25, /26
      Wireless/22, /23, /24, /25, /26
  • The name of the Business Unit or audit control group that is being served by the network (e.g., College of Business or Office of Research PCI Users)

What do I need to be aware of when using the role-based network service?

Firewall rules that allow your customers access to services will need to be updated to reflect the new range of IP addresses.

Information Technology Services


Send General Requests to

Individuals wishing to access WSU resources via VPN who have a Friend ID, including visiting scholars, vendors, and other WSU associates, please continue to use the Cisco SSL/VPN as shown below. All current students, faculty, and staff please use the GlobalProtect tools for Mac or Windows that are available via the links above.

Washington State University offers SSL VPN access for those departments and users that require secure remote user access to specific, restricted university services and data. The SSL VPN service provides authenticated and encrypted access to resources such as the administration of departmental servers, administrative systems and applications, and/or systems that house sensitive information.
The SSL VPN service uses the Cisco AnyConnect client over SSL (Secure Socket Layer). Use of the WSU SSL VPN service requires the installation of the Cisco SSL VPN AnyConnect Mobility client. Users are able to manually download and install the mobility client for desktops and laptops from the following location: SSL VPN Client Download.

(Users of mobile devices, tablets, etc. will need to download AnyConnect Mobility clients from their local app stores, as these are not provided by WSU.)




  • All sponsored contractors, vendors, guests and any others (including 3rd parties) requiring remote access

Currently Supported Operating Systems

  • Windows 7, 8, 8.1, and 10 (32 and 64 bit)
  • Mac OS X 10.8, 10.9, 10.10, and 10.11
  • Ubuntu 12.04 (LTS), 14.04 (LTS) (64 bit only)
    (other linux distributions may work as well but are untested)
  • RedHat Linux 6 and 7
  • And many smartphones or tablets


The SSL VPN service allows secured communication from remote sites to the WSU campus. The SSL VPN service establishes a split tunnel that will route traffic intended for WSU over a secured link and provide a separate path for all other traffic via the local service provider’s internet connection.
Examples of where the SSL VPN service are required:

  • Where secure communications to restricted information at WSU is needed
  • At home or traveling and needing access to secure WSU services
  • Administrators at WSU who need secure remote communications to their on-campus equipment and services

Examples where the SSL VPN service is not required:

  • Applications that are in use by a large number of users
  • Applications that have little to no access restrictions


  • The WSU SSL VPN service can only be initiated from networks off the Pullman campus.
  • Custom Active Directory attributes are created for SSL VPN users upon registration. Faculty, staff, student or third party individuals are granted access to the SSL VPN service if they have a current active status with WSU. These attributes are systematically reviewed and updated daily.
  • Users will authenticate with their WSU NID or FID.
  • WSU reserves the right to remove users from the SSL VPN users group. Users who have been removed and later determine they need access may request through Coug Tech that they be given access again.

Security Notes

  • Active SSL VPN connections must never be left unattended.
  • Always disconnect an active SSL VPN connection when finished with a session.
  • Connections that remain idle (no interaction) for 30 minutes, will be automatically disconnected.
    Login again to reconnect.
  • WSU recommends the use of local host firewalls for enhanced security.
  • Computers should have the latest service packs, critical updates, and security patches before connecting to the SSL VPN.
  • Anti-virus software must be enabled with up-to-date virus definitions installed.

Procedures to Connect

  1. Make sure your system satisfies the SSL VPN operating system and browser requirements
  2. Complete the Mandatory one time self-registration
  3. Connect to the WSU SSL VPN Service
    1. Follow prompts for one time client installation

SSL VPN Client Download for pre-installation on appropriate systems.


The WSU SSL VPN service will provide users secure and encrypted access to restricted WSU resources when connected to the internet from outside of the domain. SSL VPN is intended to provide authenticated/encrypted access to restricted resources. Users who access WSU resources via the SSL VPN are subject to the same policies as users within the domain.


All parties as delineated under Audience are required to comply with this policy.Note that all network activity while connected to the traditional or SSL VPN is subject to the University’s normal acceptable use policies.

Individuals who discover or strongly suspect the violation of this policy must promptly notify the IT Security Office at
509-335-HELP(4357) (8:00am – 5:00pm) or

OS Requirements & Client Download Information


SSL VPN Client Download & Set-up

Mobile Requirements

iPad Air7.0 or later
iPad 26.0 or later
iPad (3rd generation)6.0 or later
iPad (4th generation)6.0 or later
iPad mini6.0 or later
iPad mini (with Retina display)7.0 or later
iPhone 3GS6.0 - 6.1.6
iPhone 46.0 - 7.1.2
iPhone 4S6.0 or later
iPhone 56.0 or later
iPhone 5C7.0 or later
iPhone 5S7.0 or later
iPhone 68.0 or later
iPhone 6 Plus8.0 or later
iPod Touch (4th generation)6.0 - 6.16
iPod Touch (5th generation)6.0 or later
ATT Tilt 3.57.502.2 WWE  Note: TouchFLO must be disabled.Windows Mobile 6.1 Professional
Axim X51v with ROM: A03 (23092007Windows Mobile 6.0 Classic
HTC Touch ProWindows Mobile 6.1 Professional
HTC TouchWindows Mobile 6.0
HTC ImagioWindows Mobile 6.5
HTC Tilt 2
HTC TyTNWindows Mobile 5.0
iPAQ 2790Windows Mobile 5.0 PocketPC
Palm Treo 700wx: Windows Mobile 5.0+AKU2 PDA Phone
Sprint TREO 700WX-1.15-SPNT
Palm Treo 750: Windows Mobile 6.0 Professional
AT&T TREO750-2.27-RWE 
AT&T TREO 750-2.25-ATT 
T-Mobile TREO750-2.27-RWE
Palm Treo 800-Sprint Treo 800w-1.03-SPNTWindows Mobile 6.1 Professional
Palm Treo Pro: Windows Mobile 6.1 Professional
AT&T T850UNA-1.01-NAE 
Sprint T850EWW-1.03-SPT 
T-Mobile T850UNA-1.01-NAE
Samsung Windows Mobile 6.1 Professional
Epix SGH-i907 
Omnia SCH-i910 
Saga SCH-i770
Samsung Omnia Pro 4Windows Mobile 6.5
Sprint Touch with ROM: 3.03.651.4 Windows Mobile 6.1 Professional
Note: TouchFLO must be disabled.
T-Mobile Wing 4.26.531.1 WWEWindows Mobile 6.0 Professional
Verizon XV6800 with ROM: 1.00.00.H: Windows Mobile 6.0 P
Verizon 2.09.605.8 
Verizon 3.57.605.1

Workstation Requirements

Operating SystemRequirement
WindowsSystem RequirementsPentium class processor or greater
100 MB hard disk space
Microsoft Installer, version 3.1
Windows 7, 8, 8.1, and Windows 10 x86 (32-bit) or x64 (64-bit)
Internet Explorer 6.0 is no longer supported
Cisco will not offer Windows XP and Vista as a supported operating system for present or future AnyConnect releases.
AnyConnect is not supported on Windows RT. There are no APIs provided in the operating system to implement this functionality. Cisco has an open request with Microsoft on this topic.
Mac OSOS RequirementsMac OS X 10.8, 10.9, 10.10 and 10.11
Max OS X Support Notes
Mac OS X 10.5, 10.6, and 10.7 are no longer supported by Cisco.
AnyConnect requires 50MB of hard disk space.

To operate correctly with Mac OS X, AnyConnect requires a minimum display resolution of 1024 by 640 pixels. Mac OS X 10.8 introduces a new feature called Gatekeeper that restricts which applications are allowed to run on the system. You can choose to permit applications downloaded from:
Mac App Store
Mac App Store and identified developers
The default setting is Mac App Store and identified developers (signed applications). AnyConnect release 4.1 is a signed application, but it is not signed using an Apple certificate. This means that you must either select the Anywhere setting or use Control-click to bypass the selected setting to install and run AnyConnect from a pre-deploy installation. Users who web deploy or who already have AnyConnect installed are not impacted. For further information see:
LinuxOS Requirements
x86 instruction set.
64-bit processor.
32 MB RAM.
20 MB hard disk space.
Superuser privileges are required for installation.
libstdc++ users must have or higher, but below version 4.
Java 5 (1.5) or later. The only version that works for web installation is Sun Java. You must install Sun Java and configure your browser to use that instead of the default package.
zlib - to support SSL deflate compression
xterm - only required if you're doing initial deployment of AnyConnect via Web launch from ASA clientless portal.
gtk 2.0.0.
gdk 2.0.0
libpango 1.0 or a compatible build such as package pangox-compat-0.0.2-2.el7.x86_64.rpm or pangox-compat-0.0.2-3.fc20.x86_64.rpm
iptables 1.2.7a or later.
tun module supplied with kernel 2.4.21, 2.6
Web based installation of the sslvpn client utilizes either ActiveX (with IE) or Oracle Java to download and install the clients. Because of the numerous security issues that Java and ActiveX poses, it is highly recommended that users download the clients from the following web page and manually install them and not have to deal with Java or ActiveX.



Installation Instructions for Windows, WinMobile, iPad, iPhone, OS X Linux, Ubuntu


Remote Desktop Instructions for Win, Mac, Linux, OS X to Win RDP, Win to Linux RDP