©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise Shmulik Nehama, Identity Engines Portfolio Leader Avaya #AvayaATF @shmulik247 ©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL The Beginning of Time… ©2013 Avaya Inc. All rights reserved 3 February 26-28, 2013 | Orlando, FL Then came this… ©2013 Avaya Inc. All rights reserved 4 February 26-28, 2013 | Orlando, FL …Anyone here still using flip phone? Tablet market $45B by 2014 – Yankee 2011 50% Enterprise users interested in or using consumer applications – Yankee 2011 Smartphone app revenue to triple by 2014 – Yankee 2011 700 000 700 000 119 000 000 491 000 000 686 000 000 1 200 000 000 Android apps iPhone/iPad apps Tablets in 2012 Smartphones in 2011 Smartphones in 2012 Social Media Users Time Magazine cover Aug 18 1997. Bill Gates invests $150M to save Apple. ©2013 Avaya Inc. All rights reserved 5 February 26-28, 2013 | Orlando, FL It’s not about Saying NO… It’s About Staying in Control!! NO sorry you cannot bring your iPad NO sorry you cannot connect outdoor NO sorry you cannot do video conferencing NO sorry you cannot bring your fancy laptop YES pls do bring your own iPad YES pls do you are welcome to use Wifi VOIP YES pls do you are welcome to use virtual desktop YES pls do you are welcome to do mobile collaboration ©2013 Avaya Inc. All rights reserved 6 February 26-28, 2013 | Orlando, FL It is about a solution that combines control and flexibility!! ©2013 Avaya Inc. All rights reserved 7 February 26-28, 2013 | Orlando, FL It is about a solution that combines control and flexibility!! ©2013 Avaya Inc. All rights reserved 8 February 26-28, 2013 | Orlando, FL BYOD Bring Your Own Difficulties Your Difficulties are to find AC Outlets ©2013 Avaya Inc. All rights reserved 9 February 26-28, 2013 | Orlando, FL Avaya Identity Engines Key Value Points… Vendor Agnostic Wired & Wireless • Any Network • Any User • Any Device • Unified Access • Centralized Policy Guest Access BYOD Access • Audit logs • Self-service • Sponsor / Front Desk ©2013 Avaya Inc. All rights reserved • Device On-boarding • Device Fingerprinting • non-802.1x access 10 February 26-28, 2013 | Orlando, FL Avaya Identity Engines Key Value Points… Granular Policy Engines • XACML (eXtensible Access Control Markup Language) • Local User and Device Store • Flexible RADIUS VSAs (Vendor Specific Attributes) High Availability • All major directory servers • AD, RSA, LDAP, eDirectory • Identity Routing Virtual Appliance • Active - Active • Active - Standby ©2013 Avaya Inc. All rights reserved Directory Federation • All software solution • VMware ESXi • Windows applications 11 February 26-28, 2013 | Orlando, FL Avaya Identity Engines Key Value Points… Simple and affordable licensing Network Size License LITE SMALL LARGE no per user license no per device license Feature License TACAS+ Posture Guest Manager Access Portal & CASE Wizard Analytics ©2013 Avaya Inc. All rights reserved 12 February 26-28, 2013 | Orlando, FL Identity-based Access Control… with Identity Engines Identity Engines Role-based Access IF (identity = HR employee) AND IF (device = corp laptop) Case 1 AND IF (medium = wired) Employee with corporate laptop THEN GRANT FULL ACCESS IF (identity = HR employee) Case 2 AND IF (device = personal iPad) Employee with personal iPad AND IF (medium = wireless) THEN GRANT LIMITED ACCESS ©2013 Avaya Inc. All rights reserved 13 February 26-28, 2013 | Orlando, FL Automating network access has direct impact on reducing cost of change Enterprise Network IP Phone Visitor or Business Partner Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Guests & Guest Devices Each access port is not assigned until a user/device attempts access. Once authenticated & authorized, user/device is granted appropriate access level. MAC address lookup: • • • • • Ignition Server local store Manual input Wildcards (e.g. Avaya IP Phones 00:04:0d* and Cisco IP Phones 00:15:62*) Import CSV file with list of MAC address and other device attributes Access Portal auto-populate ©2013 Avaya Inc. All rights reserved 14 February 26-28, 2013 | Orlando, FL Identity Engines Authenticated Network Architecture Guest Access Mgmt Posture Assessment Policy Information Point DIRECTORY ABSTRACTION LAYER Policy Decision Point NETWORK ABSTRACTION LAYER Policy Enforcement Point Reporting & Analytics Access Portal CASE Wizard Identity Engines ©2013 Avaya Inc. All rights reserved 15 February 26-28, 2013 | Orlando, FL Identity Engines Authenticated Network Architecture Identity Information Sources: - Active Directory - Novell eDirectory - Sun Directory - Oracle Internet Directory - Generic LDAP - Kerberos - RSA SecurID - Token Based Services - RADIUS Proxy Ignition Access Portal Wired Ignition Server Wireless VPN Firewall Corporate Resources ©2013 Avaya Inc. All rights reserved Ignition Guest Manager 16 Ignition Dashboard Ignition Analytics February 26-28, 2013 | Orlando, FL Identity Engines Ignition Server Centralized, standards-based policy engine Vendor Agnostic Highly-available AAA appliance for identity-based network access control RADIUS integration with all enterprise network equipment Quick and deep integration with major directories Detailed logging and troubleshooting capabilities Hitless upgrades where appropriate VMware virtual appliance with support for VMware ESX(i) ©2013 Avaya Inc. All rights reserved 17 February 26-28, 2013 | Orlando, FL Ignition Dashboard Access Policy Access Policy = Authentication Policy + Identity Routing + Authorization Policy & Posture Policy ©2013 Avaya Inc. All rights reserved 18 February 26-28, 2013 | Orlando, FL Ignition Dashboard Detailed Logs ©2013 Avaya Inc. All rights reserved 19 February 26-28, 2013 | Orlando, FL Identity Engines Guest Manager Guest Manager is a Web-based application that manages temporary network accounts for visitors. Provisioning/de-provisioning in 10 sec Front-desk or Guest Self-service Activation options • • • • Immediate activation Future activation Account duration time Activate on first login Choose any access method to implement: Wireless, Wired, and VPN • Track Users: Guests, Consultants, Contractors • Complete detailed logs ©2013 Avaya Inc. All rights reserved 20 February 26-28, 2013 | Orlando, FL Identity Engines Guest Manager Administration • Multiple Guest Managers may be deployed: • Against a single instance of the Ignition Server • Under a single Guest Manager license • Authorization policies for guests are in the Ignition Server • Guest Manager Administrator • Guest Manager Provisioners • May be internal or external (i.e. on LDAP / AD etc.) • Single or bulk provisioning • Provisioners are frequently called sponsors because they sponsor guest. • Creates provisioners • Creates provisioning templates • Assigns provisioning templates to provisioners ©2013 Avaya Inc. All rights reserved 21 February 26-28, 2013 | Orlando, FL Identity Engines Guest Manager Administration Administration • • • • • • • Notification options Password complexity Password generation Username generation Users bulk load Expiration Activation ©2013 Avaya Inc. All rights reserved 22 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Access Portal can deployed for following use cases: Serves as a Captive Portal for non-802.1x clients Unifies Wired and Wireless access • Access without 802.1x enablement • Contractor & Employee Access with different modes of 8021.x enablement. Performs device fingerprinting BYOD On-boarding Hosting place for the CASE Wizard − CASE Wizard hosting for Auto-configuration of 802.1x − iOS Profile file hosting (from Apple iPhone/iPad Configuration Utility) BYOD On-boarding of managed and un-managed consumer devices attributes • Device profiling • Auto-registration • Auto-updates ©2013 Avaya Inc. All rights reserved 23 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Device Fingerprinting • Access the Captive Portal on the IN interface for wired and wireless users • User opens browser and enters corporate or guest account credentials • User authenticated against Ignition Server • If successful authentication, user session is inline through the OUT interface • Upon successful authentication, Access Portal, if enabled, also performs profiling of user devices and sends device FINGERPRINT to the Ignition server Attribute Description Examples ID MAC Address 00:11:22:33:44:55 OS Operating System Type Mac OS X OS Version Operating System Version 10_6_8 Device Type Type of client device Mobile Sub-type Sub-type of the client device iPad − Devices Type, Devices Sub-Type, Device OS, Devices OS Version − New Avaya RADIUS VSAs are used for sending the device fingerprint − If trusted, Ignition server automatically creates a device fingerprint records ©2013 Avaya Inc. All rights reserved 24 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Device Fingerprinting • Access the Captive Portal on the IN interface for wired and wireless users • User opens browser and enters corporate or guest account credentials • User authenticated against Ignition Server • If successful authentication, user session is inline through the OUT interface • Upon successful authentication, Access Portal, if enabled, also performs profiling of user devices and sends device FINGERPRINT to the Ignition server Attribute Description Examples ID MAC Address 00:11:22:33:44:55 OS Operating System Type Mac OS X OS Version Operating System Version 10_6_8 Device Type Type of client device Mobile Sub-type Sub-type of the client device iPad − Devices Type, Devices Sub-Type, Device OS, Devices OS Version − New Avaya RADIUS VSAs are used for sending the device fingerprint − If trusted, Ignition server automatically creates a device fingerprint records User Devices RADIUS HTTP Capturing DEVICE PROFILING Wireless 25 IN ADMIN RADIUS Ignition Server RADIUS Wired ©2013 Avaya Inc. All rights reserved Access Portal OUT February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Multiple Access Portals may be deployed: • Against a single instance of the Ignition Server • w/single Access Portal license Device Profiling • Administrator will be able to set the Access Portal to perform device profiling of wired and wireless devices • Device fingerprinting: − Devices Type, Devices Sub-Type, Device OS, Devices OS Version − Devices attributes are sent to the Ignition Server for registration and association with user BYOD On-boarding • • • • Auto-register of Guest Visitor and Employee Guest devices Device profiling of registering devices Auto-association of devices with guest / employee records in Ignition Server Populating device records in Ignition Server with device profile attributes ©2013 Avaya Inc. All rights reserved 26 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Authorization Policy on the Ignition Server Employee with personal iPad will gain access with Employee with personal Blackberry will NOT gain access with ©2013 Avaya Inc. All rights reserved 27 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Access Portal Pages Customization • Login page • Success page • Failure page ©2013 Avaya Inc. All rights reserved 28 February 26-28, 2013 | Orlando, FL Identity Engines Ignition CASE Wizard CASE Wizard • CASE = Client Access to the Secure Enterprise • A transient application to automate configuration of managed and un-managed Windows devices: − Auto-config of 802.1x − Auto-config of MS-NAP • Dissolvable application • Revertible or permanent configuration • Wired and / or Wireless Network Profiles & Packages • Set of network and security settings that define how a user connects to a particular defined network • This profile is saved as an XML file and bundled into a CASE package, which in turn applies the settings to the user’s computer system ©2013 Avaya Inc. All rights reserved 29 February 26-28, 2013 | Orlando, FL Identity Engines Ignition CASE Wizard ©2013 Avaya Inc. All rights reserved 30 February 26-28, 2013 | Orlando, FL Identity Engines Ignition CASE Wizard Ignition CASE Wizard • CASE Wizard package hosted on a customer internal web site or on the Access Portal • Different packages may be created for different network connectivity needs • Exit Behavior − CASE Wizard may be customized to either exit or reside in the System tray. • Revert Settings − CASE Wizard may be customized to let the user revert the settings − Reverting is achieved by clicking the “Revert Settings” in the System Tray. ©2013 Avaya Inc. All rights reserved 31 February 26-28, 2013 | Orlando, FL Identity Engines iOS Devices Apple configuration utility for iOS devices Config profile contains settings: • • • • • • • Passcode policies Restrictions on device features Wi-Fi settings VPN settings Exchange ActiveSync Credentials and keys More… Ways to deploy config profiles • Physically connecting to the device • In an email message • On a webpage hosted by the Ignition Access Portal • Using over-the air ©2013 Avaya Inc. All rights reserved 32 February 26-28, 2013 | Orlando, FL Identity Engines BYOD Examples Access Portal for IT registration of managed devices Access Portal for Employee registration of un-managed devices Ignition Access Portal Wired • Employee login w/AD • Device attributes captured • Config option with CASE for Windows or iOS • Employee access via 802.1x or Access Portal Wireless Ignition Server VPN • IT login w/Admin credentials • Device attributes captured • Associate device with Device Group in the Dashboard • Handover device to employee • Policy in Ignition Server handles access Firewall Corporate Resources ©2013 Avaya Inc. All rights reserved Ignition Guest Manager 33 Ignition Access Portal February 26-28, 2013 | Orlando, FL Real Life Avaya Use-case: Self-Service Guest Wi-Fi Access Avaya Wi-Fi Guest Access Management Identity Engines R8.0 Option 1 Guest Self-service Live in Santa Clara & Baskin Ridge campuses Avaya WLAN Infrastructure Option 2 Employee sponsor www.avaya.com/sponsor ©2013 Avaya Inc. All rights reserved 34 February 26-28, 2013 | Orlando, FL Identity Engines Resources Product Management • • • • Shmulik Nehama Email snehama@avaya.com Office 408-496-3110 Mobile 408-569-3635 YouTube Video • http://www.youtube.com/watch?v=0ZrMOqzGMpE 30-Days Free Trial • www.avaya.com/identitytrial • Long term lab licenses available from product management ©2013 Avaya Inc. All rights reserved 35 February 26-28, 2013 | Orlando, FL Live Demo #AvayaATF @shmulik247 ©2013 Avaya Inc. All rights reserved 36 February 26-28, 2013 | Orlando, FL Identity Engines Santa Clara Lab Topology (Rack F-14) DELL SERVER Ignition Server AD SERVER (Windows 2008) Red Hat Enterprise Linux 10.1.2.234 Internet 10.1.2.219 Guest Manager CASE Administration AVAYA-NET.219 NIC 1 NIC 1 NIC 2 AVAYA-NET RADIUS Windows 7 10.1.2.232 NAC SWITCH (ERS 2550PWR) Access Portal OUT 1 ADMIN VLAN 1 2 24 VLAN VLAN 24 14 17-23 16 14 VLAN 14 VLAN X 48 VLAN 1 SECURE ROUTER 10.1.2.250 LAN DHCP Server DHCP RANGE 10.1.2.10 - 49 WAN IN 4 x NAC Clients Windows XP DHCP VMware ESX1 4.1 10.1.2.220 / 222 ©2013 Avaya Inc. All rights reserved AVAYA-NET.216 10.1.2.240 NIC 2 Free BSD 10.1.2.229 VLAN 1 NIC 1 10.1.2.218 NIC 2 AVAYA-NET.218 LAN 10.1.2.244 DHCP Server DHCP RANGE 10.1.2.50 - 99 SECURE ZONE (Windows 2003) 37 February 26-28, 2013 | Orlando, FL Identity Engines Remote Desktop (AVAYA-NET.219) VMware vSphere Client Santa Clara Lab Topology Ignition Server DELL SERVER NAC Clients Dashboard Web Browser Ignition Server Guest Manager Access Portal NAC Switch Ignition Server AD SERVER (Windows 2008) Red Hat Enterprise Linux 10.1.2.234 Internet 10.1.2.219 Guest Manager CASE Administration AVAYA-NET.219 NIC 1 NIC 1 NIC 2 AVAYA-NET RADIUS Windows 7 10.1.2.232 NAC SWITCH (ERS 2550PWR) Access Portal OUT 1 ADMIN VLAN 1 2 24 VLAN VLAN 24 14 17-23 16 14 VLAN 14 VLAN X 48 VLAN 1 SECURE ROUTER 10.1.2.250 LAN DHCP Server DHCP RANGE 10.1.2.10 - 49 WAN IN 4 x NAC Clients Windows XP DHCP VMware ESX1 4.1 10.1.2.220 / 222 ©2013 Avaya Inc. All rights reserved AVAYA-NET.216 10.1.2.240 NIC 2 Free BSD 10.1.2.229 VLAN 1 NIC 1 10.1.2.218 NIC 2 AVAYA-NET.218 LAN 10.1.2.244 DHCP Server DHCP RANGE 10.1.2.50 - 99 SECURE ZONE (Windows 2003) 38 February 26-28, 2013 | Orlando, FL Thank you! #AvayaATF @shmulik247 ©2013 Avaya Inc. All rights reserved 39 February 26-28, 2013 | Orlando, FL Backup Slides ©2013 Avaya Inc. All rights reserved 40 February 26-28, 2013 | Orlando, FL Identity Engines Microsoft NAP ©2013 Avaya Inc. All rights reserved 41 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Posture • • • • A Clientless solution Identity Engines Ignition Server can require that the health and security of managed end-user’s computer be checked before it is allowed it to connect to the network. This is called ‘posture’. Posture policies can also auto-remediate common problems. Uses Microsoft’s embedded System Health Agent and Enforcement Client so nothing new to add. ©2013 Avaya Inc. All rights reserved 42 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Posture • Utilize existing applications on the desktop to conduct posture (compliance check. • Windows XP SP3 and higher all support MS-NAP within the base operating system. • Single license on Ignition Server to enable MS-NAP integration • No additional licensing needed for the end point. ©2013 Avaya Inc. All rights reserved 43 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Posture Posture Policy Rule • Clear notification to end-user on access status. • Auto-remediation capabilities. • ‘More Information’ to provide end-user with explicit details on what to do next (step-bystep instructions, host s/w etc…) • Full details in Audit Logs. ©2013 Avaya Inc. All rights reserved User Notification 44 February 26-28, 2013 | Orlando, FL Identity Engines Ignition Analytics Identify device usage • Who are your top users? Create audit trails • Look for trends of usage, users, and devices. Increase visibility into activity level over time • Identifying peak usage, lowest usage. Deliver flexible reporting formats for Reports • PDF, HTML, RTF and XLS file formats. 25 canned reports out-of-the-box ©2013 Avaya Inc. All rights reserved 45 February 26-28, 2013 | Orlando, FL Last Slide. ©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL