Download - How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
#AvayaATF@shmulik247
How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise
Shmulik Nehama, Identity Engines Portfolio LeaderAvaya
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
The Beginning of Time…
3
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Then came this…
4
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Time Magazine cover Aug 18 1997.Bill Gates invests $150M to save Apple.
Android appsiPhone/iPad appsTablets in 2012Smartphones in 2011Smartphones in 2012Social Media Users
700 000700 000
119 000 000491 000 000686 000 000
1 200 000 000
Tablet market $45B by 2014– Yankee 2011
50% Enterprise users interested in or using consumer applications– Yankee 2011
Smartphone app revenue to triple by 2014– Yankee 2011
…Anyone here still using flip phone?
5
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
YES pls do bring your own iPadYES pls do you are welcome to use Wifi VOIPYES pls do you are welcome to use virtual desktopYES pls do you are welcome to do mobile collaboration
NO sorry you cannot bring your iPadNO sorry you cannot connect outdoorNO sorry you cannot do video conferencingNO sorry you cannot bring your fancy laptop
It’s not about Saying NO…It’s About Staying in Control!!
6
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
It is about a solution that combines control and flexibility!!
7
Users
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
It is about a solution that combines control and flexibility!!
8
Devices
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
It is about a solution that combines control and flexibility!!
9
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
It is about a solution that combines control and flexibility!!
10
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
BYOD Bring Your Own Difficulties
11
Your Difficulties are to find AC Outlets
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Vendor Agnostic• Any Network• Any User• Any Device
Avaya Identity EnginesKey Value Points…
Wired & Wireless• Unified Access• Centralized Policy
Guest Access• Audit logs• Self-service• Sponsor / Front Desk
BYOD Access• Device On-boarding• Device Fingerprinting• non-802.1x access
12
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Granular Policy Engines• XACML (eXtensible Access Control Markup Language)• Local User and Device Store• Flexible RADIUS VSAs (Vendor Specific Attributes)
Avaya Identity EnginesKey Value Points…
13
Directory Federation• All major directory servers• AD, RSA, LDAP, eDirectory• Identity Routing
High Availability• Active - Active• Active - Standby
Virtual Appliance• All software solution• VMware ESXi• Windows applications
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Simple and affordable licensing Network Size License
LITE SMALL LARGE
Feature License TACAS+ Posture Guest Manager Access Portal & CASE Wizard Analytics
Avaya Identity EnginesKey Value Points…
14
no per user license
no per device license
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity-based Access Control…with Identity Engines
15
IF(identity = HR employee)
AND IF(device = corp laptop)
AND IF(medium = wired)
THEN GRANTFULL ACCESS
IF(identity = HR employee)
AND IF(device = personal iPad)
AND IF(medium = wireless)
THEN GRANTLIMITED ACCESS
Case 1Employee with
corporate laptop
Case 2Employee
with personal iPad
Identity EnginesRole-based
Access
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Automating network access has direct impact on reducing cost of change
Each access port is not assigned until a user/device attempts access. Once authenticated & authorized, user/device is granted appropriate
access level. MAC address lookup:
• Ignition Server local store• Manual input• Wildcards (e.g. Avaya IP Phones 00:04:0d* and Cisco IP Phones 00:15:62*)• Import CSV file with list of MAC address and other device attributes• Access Portal auto-populate
16
IP Phone Visitor or Business Partner
Personal Machine
Corporate Desktop
Network Printer
Network Device
Wireless Access Point
Surveillance Camera
Fax Machine
Medical Device
Local Server/A
pp
Guests & Guest Devices
EnterpriseNetwork
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesAuthenticated Network Architecture
17
NET
WO
RK A
BSTR
ACTI
ON
LAY
ER
DIRE
CTO
RY A
BSTR
ACTI
ON
LAY
ER
Reporting & Analytics
Posture Assessment
Guest Access Mgmt
Identity Engines
Access Portal
CASE Wizard
PolicyEnforcement Point
PolicyDecision Point
PolicyInformation Point
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesAuthenticated Network Architecture
18
CorporateResources
Identity Information Sources:- Active Directory- Novell eDirectory- Sun Directory- Oracle Internet Directory- Generic LDAP- Kerberos- RSA SecurID- Token Based Services- RADIUS Proxy
Wireless
VPN
Firewall
Wired
IgnitionServer
IgnitionAnalytics
IgnitionGuest Manager
IgnitionAccess Portal
IgnitionDashboard
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Server
Centralized, standards-based policy engineVendor AgnosticHighly-available AAA appliance for identity-based network access
controlRADIUS integration with all enterprise network equipmentQuick and deep integration with major directoriesDetailed logging and troubleshooting capabilitiesHitless upgrades where appropriateVMware virtual appliance with support for VMware ESX(i)
19
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Ignition DashboardAccess Policy
Access Policy = Authentication Policy +Identity Routing + Authorization Policy & Posture Policy
20
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Ignition DashboardDetailed Logs
21
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesGuest Manager
Guest Manager is a Web-based applicationthat manages temporary network accounts forvisitors.
Provisioning/de-provisioning in 10 sec Front-desk or Guest Self-service Activation options
• Immediate activation• Future activation• Account duration time• Activate on first login
Choose any access method toimplement: Wireless, Wired, and VPN
• Track Users: Guests, Consultants,Contractors
• Complete detailed logs
22
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesGuest Manager Administration
• Multiple Guest Managersmay be deployed:• Against a single instance of
the Ignition Server• Under a single Guest
Manager license• Authorization policies for
guests are in the IgnitionServer
• Guest Manager Administrator• Creates provisioners• Creates provisioning
templates• Assigns provisioning
templates to provisioners
• Guest Manager Provisioners• May be internal or external
(i.e. on LDAP / AD etc.)• Single or bulk provisioning• Provisioners are frequently
called sponsors because they sponsor guest.
23
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesGuest Manager Administration
Administration• Notification options• Password complexity• Password generation• Username generation• Users bulk load• Expiration• Activation
24
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
Access Portal can deployed forfollowing use cases:
• Access without 802.1x enablement• Contractor & Employee Access with
different modes of 8021.xenablement.
− CASE Wizard hosting for Auto-configuration of 802.1x
− iOS Profile file hosting (from AppleiPhone/iPad Configuration Utility)
BYOD On-boarding of managedand un-managed consumerdevices attributes
• Device profiling• Auto-registration• Auto-updates
25
Serves as a Captive Portal for non-802.1x clientsUnifies Wired and Wireless accessPerforms device fingerprintingBYOD On-boardingHosting place for the CASE Wizard
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
Device Fingerprinting• Access the Captive Portal on the IN
interface for wired and wireless users• User opens browser and enters
corporate or guest account credentials• User authenticated against Ignition
Server• If successful authentication, user session
is inline through the OUT interface• Upon successful authentication, Access
Portal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server
− Devices Type, Devices Sub-Type,Device OS, Devices OS Version
− New Avaya RADIUS VSAs are used forsending the device fingerprint
− If trusted, Ignition server automaticallycreates a device fingerprint records
26
Attribute Description Examples
ID MAC Address 00:11:22:33:44:55
OS Operating System Type Mac OS X
OS Version Operating System Version 10_6_8
Device Type Type of client device Mobile
Sub-type Sub-type of the client device iPad
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
Device Fingerprinting• Access the Captive Portal on the IN
interface for wired and wireless users• User opens browser and enters
corporate or guest account credentials• User authenticated against Ignition
Server• If successful authentication, user session
is inline through the OUT interface• Upon successful authentication, Access
Portal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server
− Devices Type, Devices Sub-Type,Device OS, Devices OS Version
− New Avaya RADIUS VSAs are used forsending the device fingerprint
− If trusted, Ignition server automaticallycreates a device fingerprint records
27
RADIUSWireless
OUTWired
ADMIN
Access Portal
HTT
P C
aptu
ring
RADIUSD
E V
I C
E
P R
O F
I L
I N G
UserDevices
IN
RADIUS
IgnitionServer
Attribute Description Examples
ID MAC Address 00:11:22:33:44:55
OS Operating System Type Mac OS X
OS Version Operating System Version 10_6_8
Device Type Type of client device Mobile
Sub-type Sub-type of the client device iPad
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
Multiple Access Portals maybe deployed:
• Against a single instance ofthe Ignition Server
• w/single Access Portal license Device Profiling
• Administrator will be able toset the Access Portal toperform device profiling of wired and wireless devices
• Device fingerprinting:− Devices Type, Devices Sub-Type, Device OS, Devices OS Version− Devices attributes are sent to the Ignition Server for registration and association with user
BYOD On-boarding• Auto-register of Guest Visitor and Employee Guest devices• Device profiling of registering devices• Auto-association of devices with guest / employee records in Ignition Server• Populating device records in Ignition Server with device profile attributes
28
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
29
Employee with personal iPad will gain access with
Authorization Policy on the Ignition Server
Employee with personal Blackberry will NOT gain access with
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition Access Portal
Pages Customization• Login page• Success page• Failure page
30
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition CASE Wizard
CASE Wizard• CASE = Client Access to the Secure Enterprise• A transient application to automate configuration of managed and un-managed Windows
devices:− Auto-config of 802.1x− Auto-config of MS-NAP
• Dissolvable application• Revertible or permanent configuration• Wired and / or Wireless
Network Profiles & Packages• Set of network and security settings that
define how a user connects to aparticular defined network
• This profile is saved as an XML file andbundled into a CASE package, which inturn applies the settings to the user’scomputer system
31
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition CASE Wizard
32
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesIgnition CASE Wizard
Ignition CASE Wizard• CASE Wizard package hosted on a
customer internal web site or on theAccess Portal
• Different packages may be createdfor different network connectivityneeds
• Exit Behavior− CASE Wizard may be customized to
either exit or reside in the System tray.• Revert Settings
− CASE Wizard may be customized tolet the user revert the settings
− Reverting is achieved by clicking the“Revert Settings” in the System Tray.
33
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesiOS Devices
Apple configuration utility foriOS devices
Config profile contains settings:• Passcode policies• Restrictions on device features• Wi-Fi settings• VPN settings• Exchange ActiveSync• Credentials and keys• More…
Ways to deploy config profiles• Physically connecting to the
device• In an email message• On a webpage• Using over-the air
34
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesBYOD Examples
35
CorporateResources
Wireless
VPN
Firewall
Wired
IgnitionServer
IgnitionGuest Manager
IgnitionAccess Portal
IgnitionAccess Portal
Access Portal for Employee registrationof un-managed devices
• IT login w/Admincredentials
• Device attributescaptured
• Associate devicewith Device Groupin the Dashboard
• Handover deviceto employee
• Policy in Ignition Server handles access
• Employee login w/AD• Device attributes
captured• Config option with CASE
for Windows or iOS• Employee access via
802.1x or Access Portal
Access Portal for ITregistration of managed devices
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Real Life Avaya Use-case:Self-Service Guest Wi-Fi Access
36
Identity Engines R8.0
WiFi access as a self-service based on Identity Engines Guest Manager
& Access PortalAvaya Wi-Fi Guest Access
Management
Live inSanta Clara &Baskin Ridge
campusesAvayaWLAN
Infrastructure
Option 2Employee sponsor
www.avaya.com/sponsor
Option 1Guest Self-service
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Identity EnginesResources
Product Management• Shmulik Nehama• Email [email protected] • Office 408-496-3110 • Mobile 408-569-3635
YouTube Video• http://www.youtube.com/watch?v=0ZrMOqzGMpE
30-Days Free Trial• www.avaya.com/identitytrial• Long term lab licenses available from
product management
37
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
#AvayaATF@shmulik247
Live Demo
38
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesSanta Clara Lab Topology (Rack F-14)
39
DELL SERVER
Internet
NIC
1
NIC 1 NIC 2
AVAYA-NET.21910.1.2.219
AD SERVER (Windows 2008)
LAN10.1.2.244
DHCP RANGE10.1.2.50 - 99DHCP
Server
Guest ManagerCASE Administration
Windows 710.1.2.232
Access Portal
Free BSD10.1.2.229
4 x NAC Clients
Windows XPDHCP
NAC SWITCH (ERS 2550PWR)
1
4817-23
2
10.1.2.240
16VLAN1
VLANX
VLAN1
VLAN14
VLAN1
RADIUS
VLAN14
14
NIC 1 NIC 2
SECURE ZONE (Windows 2003)
AVAYA-NET.21810.1.2.218
DHCPServer
WAN
LAN
AVAYA-NET.216
10.1.2.250SECURE ROUTER
DHCP RANGE10.1.2.10 - 49
VMware ESX1 4.110.1.2.220 / 222
Ignition Server
Red Hat Enterprise Linux10.1.2.234
OUT
NIC
2
INADMIN
24
AVAYA-NET
VLAN24
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Identity EnginesSanta Clara Lab Topology
40
DELL SERVER
Internet
NIC
1
NIC 1 NIC 2
AVAYA-NET.IP10.1.2.219
AD SERVER (Windows 2008)
LAN10.1.2.244
DHCP RANGE10.1.2.50 - 99DHCP
Server
Guest ManagerCASE Administration
Windows 710.1.2.232
Access Portal
Free BSD10.1.2.229
4 x NAC Clients
Windows XPDHCP
NAC SWITCH (ERS 2550PWR)
1
4817-23
2
10.1.2.240
16VLAN1
VLANX
VLAN1
VLAN14
VLAN1
RADIUS
VLAN14
14
NIC 1 NIC 2
SECURE ZONE (Windows 2003)
AVAYA-NET.21810.1.2.218
DHCPServer
WAN
LAN
AVAYA-NET.216
10.1.2.250SECURE ROUTER
DHCP RANGE10.1.2.10 - 49
VMware ESX1 4.110.1.2.220 / 222
Remote Desktop (AVAYA-NET.IP)Web Browser
Guest ManagerAccess PortalNAC Switch
Ignition Server
Red Hat Enterprise Linux10.1.2.234
VMware vSphere Client
NAC ClientsIgnition Server Ignition Server
Dashboard
OUT
NIC
2
INADMIN
24
AVAYA-NET
VLAN24
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Thank you!#AvayaATF@shmulik247
41