Shmulik Nehama-ATF_How to Implement Secure Guest Access and

©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
How to Implement Secure Guest
Access and Enable BYOD without
Compromising your Enterprise
Shmulik Nehama,
Identity Engines Portfolio Leader
Avaya
#AvayaATF
@shmulik247
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
The Beginning of Time…
©2013 Avaya Inc. All rights reserved
3
February 26-28, 2013 | Orlando, FL
Then came this…
©2013 Avaya Inc. All rights reserved
4
February 26-28, 2013 | Orlando, FL
…Anyone here still using flip phone?
 Tablet market $45B by 2014
– Yankee 2011
 50% Enterprise users interested in or
using consumer applications
– Yankee 2011
 Smartphone app revenue to triple by 2014
– Yankee 2011
700 000
700 000
119 000 000
491 000 000
686 000 000
1 200 000 000
Android apps
iPhone/iPad apps
Tablets in 2012
Smartphones in 2011
Smartphones in 2012
Social Media Users
Time Magazine cover Aug 18 1997.
Bill Gates invests $150M to save Apple.
©2013 Avaya Inc. All rights reserved
5
February 26-28, 2013 | Orlando, FL
It’s not about Saying NO…
It’s About Staying in Control!!
NO sorry you cannot bring your iPad
NO sorry you cannot connect outdoor
NO sorry you cannot do video conferencing
NO sorry you cannot bring your fancy laptop
YES pls do bring your own iPad
YES pls do you are welcome to use Wifi VOIP
YES pls do you are welcome to use virtual desktop
YES pls do you are welcome to do mobile collaboration
©2013 Avaya Inc. All rights reserved
6
February 26-28, 2013 | Orlando, FL
It is about a solution that combines
control and flexibility!!
©2013 Avaya Inc. All rights reserved
7
February 26-28, 2013 | Orlando, FL
It is about a solution that combines
control and flexibility!!
©2013 Avaya Inc. All rights reserved
8
February 26-28, 2013 | Orlando, FL
BYOD
Bring Your Own Difficulties
Your Difficulties are to find AC Outlets
©2013 Avaya Inc. All rights reserved
9
February 26-28, 2013 | Orlando, FL
Avaya Identity Engines
Key Value Points…
Vendor Agnostic
Wired & Wireless
• Any Network
• Any User
• Any Device
• Unified Access
• Centralized Policy
Guest Access
BYOD Access
• Audit logs
• Self-service
• Sponsor / Front Desk
©2013 Avaya Inc. All rights reserved
• Device On-boarding
• Device Fingerprinting
• non-802.1x access
10
February 26-28, 2013 | Orlando, FL
Avaya Identity Engines
Key Value Points…
Granular Policy Engines
• XACML (eXtensible Access Control Markup Language)
• Local User and Device Store
• Flexible RADIUS VSAs (Vendor Specific Attributes)
High Availability
• All major directory servers
• AD, RSA, LDAP, eDirectory
• Identity Routing
Virtual Appliance
• Active - Active
• Active - Standby
©2013 Avaya Inc. All rights reserved
Directory Federation
• All software solution
• VMware ESXi
• Windows applications
11
February 26-28, 2013 | Orlando, FL
Avaya Identity Engines
Key Value Points…
Simple and affordable licensing
 Network Size License
 LITE
 SMALL
 LARGE
no per user license
no per device license
 Feature License
 TACAS+
 Posture
 Guest Manager
 Access Portal & CASE Wizard
 Analytics
©2013 Avaya Inc. All rights reserved
12
February 26-28, 2013 | Orlando, FL
Identity-based Access Control…
with Identity Engines
Identity Engines
Role-based
Access
IF
(identity = HR employee)
AND IF
(device = corp laptop)
Case 1
AND IF
(medium = wired)
Employee with
corporate laptop
THEN GRANT
FULL ACCESS
IF
(identity = HR employee)
Case 2
AND IF
(device = personal iPad)
Employee
with personal iPad
AND IF
(medium = wireless)
THEN GRANT
LIMITED ACCESS
©2013 Avaya Inc. All rights reserved
13
February 26-28, 2013 | Orlando, FL
Automating network access has
direct impact on reducing cost of change
Enterprise
Network
IP Phone
Visitor or
Business
Partner
Personal
Machine
Corporate
Desktop
Network
Printer
Network
Device
Wireless
Access Point
Surveillance
Camera
Fax
Machine
Medical
Device
Local
Server/App
Guests & Guest Devices
Each access port is not assigned until a user/device attempts access.
Once authenticated & authorized, user/device is granted appropriate
access level.
MAC address lookup:
•
•
•
•
•
Ignition Server local store
Manual input
Wildcards (e.g. Avaya IP Phones 00:04:0d* and Cisco IP Phones 00:15:62*)
Import CSV file with list of MAC address and other device attributes
Access Portal auto-populate
©2013 Avaya Inc. All rights reserved
14
February 26-28, 2013 | Orlando, FL
Identity Engines
Authenticated Network Architecture
Guest Access Mgmt
Posture Assessment
Policy
Information Point
DIRECTORY ABSTRACTION LAYER
Policy
Decision Point
NETWORK ABSTRACTION LAYER
Policy
Enforcement Point
Reporting & Analytics
Access Portal
CASE Wizard
Identity Engines
©2013 Avaya Inc. All rights reserved
15
February 26-28, 2013 | Orlando, FL
Identity Engines
Authenticated Network Architecture
Identity Information Sources:
- Active Directory
- Novell eDirectory
- Sun Directory
- Oracle Internet Directory
- Generic LDAP
- Kerberos
- RSA SecurID
- Token Based Services
- RADIUS Proxy
Ignition
Access Portal
Wired
Ignition
Server
Wireless
VPN
Firewall
Corporate
Resources
©2013 Avaya Inc. All rights reserved
Ignition
Guest Manager
16
Ignition
Dashboard
Ignition
Analytics
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Server
Centralized, standards-based policy engine
Vendor Agnostic
Highly-available AAA appliance for identity-based network access
control
RADIUS integration with all enterprise network equipment
Quick and deep integration with major directories
Detailed logging and troubleshooting capabilities
Hitless upgrades where appropriate
VMware virtual appliance with support for VMware ESX(i)
©2013 Avaya Inc. All rights reserved
17
February 26-28, 2013 | Orlando, FL
Ignition Dashboard
Access Policy
Access Policy = Authentication Policy +
Identity Routing + Authorization Policy & Posture Policy
©2013 Avaya Inc. All rights reserved
18
February 26-28, 2013 | Orlando, FL
Ignition Dashboard
Detailed Logs
©2013 Avaya Inc. All rights reserved
19
February 26-28, 2013 | Orlando, FL
Identity Engines
Guest Manager
Guest Manager is a Web-based application
that manages temporary network accounts for
visitors.
Provisioning/de-provisioning in 10 sec
Front-desk or Guest Self-service
Activation options
•
•
•
•
Immediate activation
Future activation
Account duration time
Activate on first login
Choose any access method to
implement: Wireless, Wired, and VPN
• Track Users: Guests, Consultants,
Contractors
• Complete detailed logs
©2013 Avaya Inc. All rights reserved
20
February 26-28, 2013 | Orlando, FL
Identity Engines
Guest Manager Administration
• Multiple Guest Managers
may be deployed:
• Against a single instance of
the Ignition Server
• Under a single Guest
Manager license
• Authorization policies for
guests are in the Ignition
Server
• Guest Manager Administrator
• Guest Manager Provisioners
• May be internal or external
(i.e. on LDAP / AD etc.)
• Single or bulk provisioning
• Provisioners are frequently
called sponsors because
they sponsor guest.
• Creates provisioners
• Creates provisioning
templates
• Assigns provisioning
templates to provisioners
©2013 Avaya Inc. All rights reserved
21
February 26-28, 2013 | Orlando, FL
Identity Engines
Guest Manager Administration
Administration
•
•
•
•
•
•
•
Notification options
Password complexity
Password generation
Username generation
Users bulk load
Expiration
Activation
©2013 Avaya Inc. All rights reserved
22
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
Access Portal can deployed for
following use cases:
Serves as a Captive Portal for non-802.1x clients
Unifies Wired and Wireless access
• Access without 802.1x enablement
• Contractor & Employee Access with
different modes of 8021.x
enablement.
Performs device fingerprinting
BYOD On-boarding
Hosting place for the CASE Wizard
− CASE Wizard hosting for
Auto-configuration of 802.1x
− iOS Profile file hosting (from Apple
iPhone/iPad Configuration Utility)
BYOD On-boarding of managed
and un-managed consumer
devices attributes
• Device profiling
• Auto-registration
• Auto-updates
©2013 Avaya Inc. All rights reserved
23
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
 Device Fingerprinting
• Access the Captive Portal on the IN
interface for wired and wireless users
• User opens browser and enters
corporate or guest account credentials
• User authenticated against Ignition
Server
• If successful authentication, user session
is inline through the OUT interface
• Upon successful authentication, Access
Portal, if enabled, also performs profiling
of user devices and sends device
FINGERPRINT to the Ignition server
Attribute
Description
Examples
ID
MAC Address
00:11:22:33:44:55
OS
Operating System Type
Mac OS X
OS Version
Operating System Version
10_6_8
Device Type
Type of client device
Mobile
Sub-type
Sub-type of the client device
iPad
− Devices Type, Devices Sub-Type,
Device OS, Devices OS Version
− New Avaya RADIUS VSAs are used for
sending the device fingerprint
− If trusted, Ignition server automatically
creates a device fingerprint records
©2013 Avaya Inc. All rights reserved
24
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
 Device Fingerprinting
• Access the Captive Portal on the IN
interface for wired and wireless users
• User opens browser and enters
corporate or guest account credentials
• User authenticated against Ignition
Server
• If successful authentication, user session
is inline through the OUT interface
• Upon successful authentication, Access
Portal, if enabled, also performs profiling
of user devices and sends device
FINGERPRINT to the Ignition server
Attribute
Description
Examples
ID
MAC Address
00:11:22:33:44:55
OS
Operating System Type
Mac OS X
OS Version
Operating System Version
10_6_8
Device Type
Type of client device
Mobile
Sub-type
Sub-type of the client device
iPad
− Devices Type, Devices Sub-Type,
Device OS, Devices OS Version
− New Avaya RADIUS VSAs are used for
sending the device fingerprint
− If trusted, Ignition server automatically
creates a device fingerprint records
User
Devices
RADIUS
HTTP Capturing
DEVICE PROFILING
Wireless
25
IN
ADMIN
RADIUS
Ignition
Server
RADIUS
Wired
©2013 Avaya Inc. All rights reserved
Access Portal
OUT
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
 Multiple Access Portals may
be deployed:
• Against a single instance of
the Ignition Server
• w/single Access Portal license
 Device Profiling
• Administrator will be able to
set the Access Portal to
perform device profiling of
wired and wireless devices
• Device fingerprinting:
− Devices Type, Devices Sub-Type, Device OS, Devices OS Version
− Devices attributes are sent to the Ignition Server for registration and association with user
 BYOD On-boarding
•
•
•
•
Auto-register of Guest Visitor and Employee Guest devices
Device profiling of registering devices
Auto-association of devices with guest / employee records in Ignition Server
Populating device records in Ignition Server with device profile attributes
©2013 Avaya Inc. All rights reserved
26
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
Authorization
Policy on the
Ignition Server
Employee with personal
iPad will gain access with
Employee with personal
Blackberry will NOT gain
access with
©2013 Avaya Inc. All rights reserved
27
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Access Portal
 Pages Customization
• Login page
• Success page
• Failure page
©2013 Avaya Inc. All rights reserved
28
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition CASE Wizard
 CASE Wizard
• CASE = Client Access to the Secure Enterprise
• A transient application to automate configuration of managed and un-managed Windows
devices:
− Auto-config of 802.1x
− Auto-config of MS-NAP
• Dissolvable application
• Revertible or permanent configuration
• Wired and / or Wireless
 Network Profiles & Packages
• Set of network and security settings that
define how a user connects to a
particular defined network
• This profile is saved as an XML file and
bundled into a CASE package, which in
turn applies the settings to the user’s
computer system
©2013 Avaya Inc. All rights reserved
29
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition CASE Wizard
©2013 Avaya Inc. All rights reserved
30
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition CASE Wizard
Ignition CASE Wizard
• CASE Wizard package hosted on a
customer internal web site or on the
Access Portal
• Different packages may be created
for different network connectivity
needs
• Exit Behavior
− CASE Wizard may be customized to
either exit or reside in the System tray.
• Revert Settings
− CASE Wizard may be customized to
let the user revert the settings
− Reverting is achieved by clicking the
“Revert Settings” in the System Tray.
©2013 Avaya Inc. All rights reserved
31
February 26-28, 2013 | Orlando, FL
Identity Engines
iOS Devices
Apple configuration utility for
iOS devices
Config profile contains settings:
•
•
•
•
•
•
•
Passcode policies
Restrictions on device features
Wi-Fi settings
VPN settings
Exchange ActiveSync
Credentials and keys
More…
Ways to deploy config profiles
• Physically connecting to the
device
• In an email message
• On a webpage  hosted by the Ignition Access Portal
• Using over-the air
©2013 Avaya Inc. All rights reserved
32
February 26-28, 2013 | Orlando, FL
Identity Engines
BYOD Examples
Access Portal for IT
registration of managed devices
Access Portal for Employee registration
of un-managed devices
Ignition
Access Portal
Wired
• Employee login w/AD
• Device attributes
captured
• Config option with CASE
for Windows or iOS
• Employee access via
802.1x or Access Portal
Wireless
Ignition
Server
VPN
• IT login w/Admin
credentials
• Device attributes
captured
• Associate device
with Device Group
in the Dashboard
• Handover device
to employee
• Policy in Ignition
Server handles access
Firewall
Corporate
Resources
©2013 Avaya Inc. All rights reserved
Ignition
Guest Manager
33
Ignition
Access Portal
February 26-28, 2013 | Orlando, FL
Real Life Avaya Use-case:
Self-Service Guest Wi-Fi Access
Avaya Wi-Fi Guest Access
Management
Identity Engines
R8.0
Option 1
Guest Self-service
Live in
Santa Clara &
Baskin Ridge
campuses
Avaya
WLAN
Infrastructure
Option 2
Employee sponsor
www.avaya.com/sponsor
©2013 Avaya Inc. All rights reserved
34
February 26-28, 2013 | Orlando, FL
Identity Engines
Resources
Product Management
•
•
•
•
Shmulik Nehama
Email
snehama@avaya.com
Office
408-496-3110
Mobile
408-569-3635
YouTube Video
• http://www.youtube.com/watch?v=0ZrMOqzGMpE
30-Days Free Trial
• www.avaya.com/identitytrial
• Long term lab licenses available from
product management
©2013 Avaya Inc. All rights reserved
35
February 26-28, 2013 | Orlando, FL
Live Demo
#AvayaATF
@shmulik247
©2013 Avaya Inc. All rights reserved
36
February 26-28, 2013 | Orlando, FL
Identity Engines
Santa Clara Lab Topology (Rack F-14)
DELL SERVER
Ignition Server
AD SERVER (Windows 2008)
Red Hat Enterprise Linux
10.1.2.234
Internet
10.1.2.219
Guest Manager
CASE Administration
AVAYA-NET.219
NIC 1
NIC 1
NIC 2
AVAYA-NET
RADIUS
Windows 7
10.1.2.232
NAC SWITCH (ERS 2550PWR)
Access Portal
OUT
1
ADMIN
VLAN
1
2
24
VLAN VLAN
24
14
17-23
16
14
VLAN
14
VLAN
X
48
VLAN
1
SECURE ROUTER
10.1.2.250
LAN
DHCP
Server
DHCP RANGE
10.1.2.10 - 49
WAN
IN
4 x NAC Clients
Windows XP
DHCP
VMware ESX1 4.1
10.1.2.220 / 222
©2013 Avaya Inc. All rights reserved
AVAYA-NET.216
10.1.2.240
NIC 2
Free BSD
10.1.2.229
VLAN
1
NIC 1
10.1.2.218
NIC 2
AVAYA-NET.218
LAN
10.1.2.244
DHCP
Server
DHCP RANGE
10.1.2.50 - 99
SECURE ZONE (Windows 2003)
37
February 26-28, 2013 | Orlando, FL
Identity Engines
Remote Desktop (AVAYA-NET.219)
VMware vSphere Client
Santa Clara Lab Topology
Ignition Server
DELL SERVER
NAC Clients
Dashboard
Web Browser
Ignition Server
Guest Manager
Access Portal
NAC Switch
Ignition Server
AD SERVER (Windows 2008)
Red Hat Enterprise Linux
10.1.2.234
Internet
10.1.2.219
Guest Manager
CASE Administration
AVAYA-NET.219
NIC 1
NIC 1
NIC 2
AVAYA-NET
RADIUS
Windows 7
10.1.2.232
NAC SWITCH (ERS 2550PWR)
Access Portal
OUT
1
ADMIN
VLAN
1
2
24
VLAN VLAN
24
14
17-23
16
14
VLAN
14
VLAN
X
48
VLAN
1
SECURE ROUTER
10.1.2.250
LAN
DHCP
Server
DHCP RANGE
10.1.2.10 - 49
WAN
IN
4 x NAC Clients
Windows XP
DHCP
VMware ESX1 4.1
10.1.2.220 / 222
©2013 Avaya Inc. All rights reserved
AVAYA-NET.216
10.1.2.240
NIC 2
Free BSD
10.1.2.229
VLAN
1
NIC 1
10.1.2.218
NIC 2
AVAYA-NET.218
LAN
10.1.2.244
DHCP
Server
DHCP RANGE
10.1.2.50 - 99
SECURE ZONE (Windows 2003)
38
February 26-28, 2013 | Orlando, FL
Thank you!
#AvayaATF
@shmulik247
©2013 Avaya Inc. All rights reserved
39
February 26-28, 2013 | Orlando, FL
Backup Slides
©2013 Avaya Inc. All rights reserved
40
February 26-28, 2013 | Orlando, FL
Identity Engines
Microsoft NAP
©2013 Avaya Inc. All rights reserved
41
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Posture
•
•
•
•
A Clientless solution
Identity Engines Ignition Server
can require that the health and
security of managed end-user’s
computer be checked before it is
allowed it to connect to the
network.
This is called ‘posture’.
Posture policies can also
auto-remediate common
problems.
Uses Microsoft’s embedded
System
Health Agent and Enforcement
Client so nothing new to add.
©2013 Avaya Inc. All rights reserved
42
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Posture
• Utilize existing applications on
the desktop to conduct posture
(compliance check.
• Windows XP SP3 and higher
all support MS-NAP within the
base operating system.
• Single license on Ignition
Server to enable MS-NAP
integration
• No additional licensing needed
for the end point.
©2013 Avaya Inc. All rights reserved
43
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Posture
Posture Policy Rule
• Clear notification to end-user
on access status.
• Auto-remediation capabilities.
• ‘More Information’ to provide
end-user with explicit details
on what to do next (step-bystep instructions, host s/w
etc…)
• Full details in Audit Logs.
©2013 Avaya Inc. All rights reserved
User Notification
44
February 26-28, 2013 | Orlando, FL
Identity Engines
Ignition Analytics
Identify device usage
• Who are your top users?
Create audit trails
• Look for trends of usage, users, and
devices.
Increase visibility into activity level over
time
• Identifying peak usage, lowest usage.
Deliver flexible reporting formats for Reports
• PDF, HTML, RTF and
XLS file formats.
25 canned reports
out-of-the-box
©2013 Avaya Inc. All rights reserved
45
February 26-28, 2013 | Orlando, FL
Last Slide.
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL