Skip to main content

Exception Device

This role is assigned to devices that must be on the network but are unable to be well-managed by Ohio State IT (Information Technology) staff. It is common that these devices are unable to comply with one or more Information Security Control Requirements (ISCR). Permission must be obtained before a device is placed into this network role. Devices include workstations with unsupported and unpatched operating systems, research instrumentation, and other non-compliant endpoints. (An example would be a Windows 7 workstation that cannot be patched without voiding a vendor warranty for a connected microscope.)

Network role at a glance:

  • Wired connectivity only. No Wi-Fi option available
  • Public IP addressing
  • DHCP reservations are not supported. Dynamic DNS used instead
  • Heavily restricted inbound and outbound traffic allowances
  • Traffic between exception devices disallowed
  • Requires a documented exception approved by OTDI’s Infrastructure Risk Management team

Network Role Characteristics

Aliases for this role include

  • Exception
  • Non-compliant
  • osu-exception

Network Traffic Permissions

Outbound traffic is limited to:

  • Ohio State destinations using DUO with DNS firewalling
  • Crowdstrike
  • Microsoft OneDrive
  • Tenable
  • Explicit rules as needed to specific destination addresses

Inbound traffic is limited to:

  • Remote access tools (e.g., Guacamole, RDP gateway, etc.)
  • Explicit rules as needed from specific source addresses

How to connect

OTDI Infrastructure Risk Management staff must register a device’s wired MAC address, as permissions to register devices for this network role has been limited. OTDI will review each request and perform a risk assessment. If assessment passes, OTDI will first verify an approved control requirement exception record exists. Following exception record verification, OTDI will register the device(s) on behalf of the requester.

Once registered, connect the device to a wired port on OTDI’s Managed Network Service

IP (Internet Protocol) Addressing

  1. Devices placed in the exception role are assigned to publicly routable IP address space. All IPv4 addresses are dynamically assigned through DHCP, and address reservations are not supported. IPv6 addresses are not currently supported for this network role. 
  2. After receiving an IP address, the campus DHCP service will dynamically create a DNS A record for the endpoint in the DNS zone exception.role.it.osu.edu. For example, an endpoint with hostname “smith123456” would have a DNS record of smith123456.exception.role.it.osu.edu. In the event the endpoint has no configured hostname, the mac address of the device will be used instead.
Additional Information for IT Teams

Requests for devices to be placed in this role should be submitted via the IT Service Desk. OTDI’s Infrastructure Risk Management team will review the request and, if approved, fulfill the request by completing the following: 

  1. Verify an exception record exists in Service-Now and has been approved
  2. Log in to MyDevices with your administrative account (name.#a)
  3. Choose OSU Exception for the network role when registering the MAC address of the device