How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise

©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL


#AvayaATF@shmulik247

How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise

Shmulik Nehama, Identity Engines Portfolio LeaderAvaya



The Beginning of Time…

3



Then came this…

4



Time Magazine cover Aug 18 1997.Bill Gates invests $150M to save Apple.

Android appsiPhone/iPad appsTablets in 2012Smartphones in 2011Smartphones in 2012Social Media Users

700 000700 000

119 000 000491 000 000686 000 000

1 200 000 000

Tablet market $45B by 2014– Yankee 2011

50% Enterprise users interested in or using consumer applications– Yankee 2011

Smartphone app revenue to triple by 2014– Yankee 2011

…Anyone here still using flip phone?

5



YES pls do bring your own iPadYES pls do you are welcome to use Wifi VOIPYES pls do you are welcome to use virtual desktopYES pls do you are welcome to do mobile collaboration

NO sorry you cannot bring your iPadNO sorry you cannot connect outdoorNO sorry you cannot do video conferencingNO sorry you cannot bring your fancy laptop

It’s not about Saying NO…It’s About Staying in Control!!

6



It is about a solution that combines control and flexibility!!

7

Users




8

Devices




9




10



BYOD Bring Your Own Difficulties

11

Your Difficulties are to find AC Outlets



Vendor Agnostic• Any Network• Any User• Any Device

Avaya Identity EnginesKey Value Points…

Wired & Wireless• Unified Access• Centralized Policy

Guest Access• Audit logs• Self-service• Sponsor / Front Desk

BYOD Access• Device On-boarding• Device Fingerprinting• non-802.1x access

12



Granular Policy Engines• XACML (eXtensible Access Control Markup Language)• Local User and Device Store• Flexible RADIUS VSAs (Vendor Specific Attributes)


13

Directory Federation• All major directory servers• AD, RSA, LDAP, eDirectory• Identity Routing

High Availability• Active - Active• Active - Standby

Virtual Appliance• All software solution• VMware ESXi• Windows applications



Simple and affordable licensing Network Size License

LITE SMALL LARGE

Feature License TACAS+ Posture Guest Manager Access Portal & CASE Wizard Analytics


14

no per user license

no per device license



Identity-based Access Control…with Identity Engines

15

IF(identity = HR employee)

AND IF(device = corp laptop)

AND IF(medium = wired)

THEN GRANTFULL ACCESS

IF(identity = HR employee)

AND IF(device = personal iPad)

AND IF(medium = wireless)

THEN GRANTLIMITED ACCESS

Case 1Employee with

corporate laptop

Case 2Employee

with personal iPad

Identity EnginesRole-based

Access


©2013 Avaya Inc. All rights reserved

February 26-28, 2013 | Orlando, FL

Automating network access has direct impact on reducing cost of change

Each access port is not assigned until a user/device attempts access. Once authenticated & authorized, user/device is granted appropriate

access level. MAC address lookup:

• Ignition Server local store• Manual input• Wildcards (e.g. Avaya IP Phones 00:04:0d* and Cisco IP Phones 00:15:62*)• Import CSV file with list of MAC address and other device attributes• Access Portal auto-populate

16

IP Phone Visitor or Business Partner

Personal Machine

Corporate Desktop

Network Printer

Network Device

Wireless Access Point

Surveillance Camera

Fax Machine

Medical Device

Local Server/A

pp

Guests & Guest Devices

EnterpriseNetwork



Identity EnginesAuthenticated Network Architecture

17

NET

WO

RK A

BSTR

ACTI

ON

LAY

ER

DIRE

CTO

RY A

BSTR

ACTI

ON

LAY

ER

Reporting & Analytics

Posture Assessment

Guest Access Mgmt

Identity Engines

Access Portal

CASE Wizard

PolicyEnforcement Point

PolicyDecision Point

PolicyInformation Point



Identity EnginesAuthenticated Network Architecture

18

CorporateResources

Identity Information Sources:- Active Directory- Novell eDirectory- Sun Directory- Oracle Internet Directory- Generic LDAP- Kerberos- RSA SecurID- Token Based Services- RADIUS Proxy

Wireless

VPN

Firewall

Wired

IgnitionServer

IgnitionAnalytics

IgnitionGuest Manager

IgnitionAccess Portal

IgnitionDashboard




Identity EnginesIgnition Server

Centralized, standards-based policy engineVendor AgnosticHighly-available AAA appliance for identity-based network access

controlRADIUS integration with all enterprise network equipmentQuick and deep integration with major directoriesDetailed logging and troubleshooting capabilitiesHitless upgrades where appropriateVMware virtual appliance with support for VMware ESX(i)

19




Ignition DashboardAccess Policy

Access Policy = Authentication Policy +Identity Routing + Authorization Policy & Posture Policy

20




Ignition DashboardDetailed Logs

21




Identity EnginesGuest Manager

Guest Manager is a Web-based applicationthat manages temporary network accounts forvisitors.

Provisioning/de-provisioning in 10 sec Front-desk or Guest Self-service Activation options

• Immediate activation• Future activation• Account duration time• Activate on first login

Choose any access method toimplement: Wireless, Wired, and VPN

• Track Users: Guests, Consultants,Contractors

• Complete detailed logs

22




Identity EnginesGuest Manager Administration

• Multiple Guest Managersmay be deployed:• Against a single instance of

the Ignition Server• Under a single Guest

Manager license• Authorization policies for

guests are in the IgnitionServer

• Guest Manager Administrator• Creates provisioners• Creates provisioning

templates• Assigns provisioning

templates to provisioners

• Guest Manager Provisioners• May be internal or external

(i.e. on LDAP / AD etc.)• Single or bulk provisioning• Provisioners are frequently

called sponsors because they sponsor guest.

23




Identity EnginesGuest Manager Administration

Administration• Notification options• Password complexity• Password generation• Username generation• Users bulk load• Expiration• Activation

24




Identity EnginesIgnition Access Portal

Access Portal can deployed forfollowing use cases:

• Access without 802.1x enablement• Contractor & Employee Access with

different modes of 8021.xenablement.

− CASE Wizard hosting for Auto-configuration of 802.1x

− iOS Profile file hosting (from AppleiPhone/iPad Configuration Utility)

BYOD On-boarding of managedand un-managed consumerdevices attributes

• Device profiling• Auto-registration• Auto-updates

25

Serves as a Captive Portal for non-802.1x clientsUnifies Wired and Wireless accessPerforms device fingerprintingBYOD On-boardingHosting place for the CASE Wizard





Device Fingerprinting• Access the Captive Portal on the IN

interface for wired and wireless users• User opens browser and enters

corporate or guest account credentials• User authenticated against Ignition

Server• If successful authentication, user session

is inline through the OUT interface• Upon successful authentication, Access

Portal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server

− Devices Type, Devices Sub-Type,Device OS, Devices OS Version

− New Avaya RADIUS VSAs are used forsending the device fingerprint

− If trusted, Ignition server automaticallycreates a device fingerprint records

26

Attribute Description Examples

ID MAC Address 00:11:22:33:44:55

OS Operating System Type Mac OS X

OS Version Operating System Version 10_6_8

Device Type Type of client device Mobile

Sub-type Sub-type of the client device iPad





Device Fingerprinting• Access the Captive Portal on the IN

interface for wired and wireless users• User opens browser and enters

corporate or guest account credentials• User authenticated against Ignition

Server• If successful authentication, user session

is inline through the OUT interface• Upon successful authentication, Access

Portal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server

− Devices Type, Devices Sub-Type,Device OS, Devices OS Version

− New Avaya RADIUS VSAs are used forsending the device fingerprint

− If trusted, Ignition server automaticallycreates a device fingerprint records

27

RADIUSWireless

OUTWired

ADMIN

Access Portal

HTT

P C

aptu

ring

RADIUSD

E V

I C

E

P R

O F

I L

I N G

UserDevices

IN

RADIUS

IgnitionServer

Attribute Description Examples

ID MAC Address 00:11:22:33:44:55

OS Operating System Type Mac OS X

OS Version Operating System Version 10_6_8

Device Type Type of client device Mobile

Sub-type Sub-type of the client device iPad





Multiple Access Portals maybe deployed:

• Against a single instance ofthe Ignition Server

• w/single Access Portal license Device Profiling

• Administrator will be able toset the Access Portal toperform device profiling of wired and wireless devices

• Device fingerprinting:− Devices Type, Devices Sub-Type, Device OS, Devices OS Version− Devices attributes are sent to the Ignition Server for registration and association with user

BYOD On-boarding• Auto-register of Guest Visitor and Employee Guest devices• Device profiling of registering devices• Auto-association of devices with guest / employee records in Ignition Server• Populating device records in Ignition Server with device profile attributes

28




29

Employee with personal iPad will gain access with

Authorization Policy on the Ignition Server

Employee with personal Blackberry will NOT gain access with





Pages Customization• Login page• Success page• Failure page

30




Identity EnginesIgnition CASE Wizard

CASE Wizard• CASE = Client Access to the Secure Enterprise• A transient application to automate configuration of managed and un-managed Windows

devices:− Auto-config of 802.1x− Auto-config of MS-NAP

• Dissolvable application• Revertible or permanent configuration• Wired and / or Wireless

Network Profiles & Packages• Set of network and security settings that

define how a user connects to aparticular defined network

• This profile is saved as an XML file andbundled into a CASE package, which inturn applies the settings to the user’scomputer system

31




32





Ignition CASE Wizard• CASE Wizard package hosted on a

customer internal web site or on theAccess Portal

• Different packages may be createdfor different network connectivityneeds

• Exit Behavior− CASE Wizard may be customized to

either exit or reside in the System tray.• Revert Settings

− CASE Wizard may be customized tolet the user revert the settings

− Reverting is achieved by clicking the“Revert Settings” in the System Tray.

33




Identity EnginesiOS Devices

Apple configuration utility foriOS devices

Config profile contains settings:• Passcode policies• Restrictions on device features• Wi-Fi settings• VPN settings• Exchange ActiveSync• Credentials and keys• More…

Ways to deploy config profiles• Physically connecting to the

device• In an email message• On a webpage• Using over-the air

34



Identity EnginesBYOD Examples

35

CorporateResources

Wireless

VPN

Firewall

Wired

IgnitionServer

IgnitionGuest Manager



Access Portal for Employee registrationof un-managed devices

• IT login w/Admincredentials

• Device attributescaptured

• Associate devicewith Device Groupin the Dashboard

• Handover deviceto employee

• Policy in Ignition Server handles access

• Employee login w/AD• Device attributes

captured• Config option with CASE

for Windows or iOS• Employee access via

802.1x or Access Portal

Access Portal for ITregistration of managed devices



Real Life Avaya Use-case:Self-Service Guest Wi-Fi Access

36

Identity Engines R8.0

WiFi access as a self-service based on Identity Engines Guest Manager

& Access PortalAvaya Wi-Fi Guest Access

Management

Live inSanta Clara &Baskin Ridge

campusesAvayaWLAN

Infrastructure

Option 2Employee sponsor

www.avaya.com/sponsor

Option 1Guest Self-service




Identity EnginesResources

Product Management• Shmulik Nehama• Email [email protected] • Office 408-496-3110 • Mobile 408-569-3635

YouTube Video• http://www.youtube.com/watch?v=0ZrMOqzGMpE

30-Days Free Trial• www.avaya.com/identitytrial• Long term lab licenses available from

product management

37

http://www.youtube.com/watch?v=0ZrMOqzGMpE


#AvayaATF@shmulik247

Live Demo

38



Identity EnginesSanta Clara Lab Topology (Rack F-14)

39

DELL SERVER

Internet

NIC

1

NIC 1 NIC 2

AVAYA-NET.21910.1.2.219

AD SERVER (Windows 2008)

LAN10.1.2.244

DHCP RANGE10.1.2.50 - 99DHCP

Server

Guest ManagerCASE Administration

Windows 710.1.2.232

Access Portal

Free BSD10.1.2.229

4 x NAC Clients

Windows XPDHCP

NAC SWITCH (ERS 2550PWR)

1

4817-23

2

10.1.2.240

16VLAN1

VLANX

VLAN1

VLAN14

VLAN1

RADIUS

VLAN14

14

NIC 1 NIC 2

SECURE ZONE (Windows 2003)

AVAYA-NET.21810.1.2.218

DHCPServer

WAN

LAN

AVAYA-NET.216

10.1.2.250SECURE ROUTER

DHCP RANGE10.1.2.10 - 49

VMware ESX1 4.110.1.2.220 / 222

Ignition Server

Red Hat Enterprise Linux10.1.2.234

OUT

NIC

2

INADMIN

24

AVAYA-NET

VLAN24

http://www.google.com/imgres?imgurl=http://a1.twimg.com/profile_images/950074962/VMwareIcon-Grey_normal.png&imgrefurl=http://tool.mface.jp/twfollow/joe_viv/3&usg=__f01gymOsKcUKmItJc6HX-GcvPIM=&h=48&w=48&sz=2&hl=en&start=18&zoom=1&um=1&itbs=1&tbnid=DQtzcHd93AjUDM:&tbnh=48&tbnw=48&prev=/search?q=vmware+vsphere&um=1&hl=en&biw=1099&bih=621&tbs=isz:i,itp:clipart&tbm=isch&ei=rmvFTdn6A6Xf0QH6kpmRCA








Identity EnginesSanta Clara Lab Topology

40

DELL SERVER

Internet

NIC

1

NIC 1 NIC 2

AVAYA-NET.IP10.1.2.219

AD SERVER (Windows 2008)

LAN10.1.2.244

DHCP RANGE10.1.2.50 - 99DHCP

Server

Guest ManagerCASE Administration

Windows 710.1.2.232

Access Portal

Free BSD10.1.2.229

4 x NAC Clients

Windows XPDHCP

NAC SWITCH (ERS 2550PWR)

1

4817-23

2

10.1.2.240

16VLAN1

VLANX

VLAN1

VLAN14

VLAN1

RADIUS

VLAN14

14

NIC 1 NIC 2

SECURE ZONE (Windows 2003)

AVAYA-NET.21810.1.2.218

DHCPServer

WAN

LAN

AVAYA-NET.216

10.1.2.250SECURE ROUTER

DHCP RANGE10.1.2.10 - 49

VMware ESX1 4.110.1.2.220 / 222

Remote Desktop (AVAYA-NET.IP)Web Browser

Guest ManagerAccess PortalNAC Switch

Ignition Server

Red Hat Enterprise Linux10.1.2.234

VMware vSphere Client

NAC ClientsIgnition Server Ignition Server

Dashboard

OUT

NIC

2

INADMIN

24

AVAYA-NET

VLAN24








Thank you!#AvayaATF@shmulik247

41

Documents

How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise