Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Authenticated Networks Architecture

advertisement 
Authenticated Network Architecture
Michael Knabb
Office Tools started here:
Then came this!
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
2
The before is history…
100 000
350 000
75 000 000
800 000 000
1 200 000 000
Android apps
iPhone apps
Tablets in 2012
Smartphones
Social Media Users
 Tablet market $45B by 2014
– Yankee 2011
 50% Enterprise users interested in or using
consumer applications
– Yankee 2011
 Smartphone app revenue to triple by 2014
– Yankee 2011
TIME’s Person of the Year: YOU
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
3
It is not About Saying No!!
It is about saying YES!
but…staying on control
NO you
NO you
NO you
NO you
cannot bring your iPad
cannot connect outdoor
cannot bring your fancy laptop
cannot do video conferencing
YES bring your own iPad
YES you are welcome to do mobile collaboration
YES you are welcome to use virtual desktop
YES you are welcome to use Wifi VOIP
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
4
Where is the market going?
 70% of new enterprise users by 2013, will be wireless
by default and wired by exception (Gartner)
• Average three to five devices per user each requiring capacity and
contributing to the density
 By 2015, 80% of newly installed wireless networks will
be obsolete because of a lack of proper planning (Gartner)
• New context-rich applications requiring more bandwidth
• iPad deployments could need 300% more Wi-Fi
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
5
Cost of Change - Operations Cost Reduction
Enterprise
Network
IP Phone
Visitor or
Personal
Business Partner Machine
Corporate
Desktop
Network
Printer
Network
Device
Wireless
Access Point
Surveillance
Camera
Fax
Machine
Medical
Device
Local
Server/App
Guests & Guest Devices
 Each wired or wireless access port is not assigned until a
user/device attempts access. At that point it is given the appropriate
level of access.
 Direct annual TCO savings just by avoiding simple VLAN changes.
 Indirect TCO saving just by avoiding network outages following
manual configuration changes.
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
6
Identity Engines
Authenticated Network Architecture
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
Guest Access Mgmt
Posture Assessment
Reporting & Analytics
Captive Portal (v8.0)
CASE (v8.0)
Identity Engines
Policy
Information Point
DIRECTORY ABSTRACTION LAYER
Policy
Decision Point
NETWORK ABSTRACTION LAYER
Policy
Enforcement Point
7
Identity-based Access Control…
with Identity Engines
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
Authorization
Request
Access Script
Example 1
Check
access device
If device = “managed”
Check
access medium
If medium = “wired”
Check
identity stores
If identity = “HR employee”
then
grant full network access
8
Identity-based Access Control…
with Identity Engines
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
Authorization
Request
Access Script
Example 2
Check
access device
If device = “iPad”
Check
access medium
If medium = “wireless”
Check
identity stores
If identity = “HR employee”
then
grant limited access
9
Identity Engines
Flexible Policy Engines
Extensive Logging
for each access attempt
Identity Engines through the policies, basically
answers the question: Are you one of mine?
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
10
Identity Engines Guest Manager
 Identity Engines Guest Manager is a web
application that lets front desk staff create
and manage temporary network accounts
for visitors.
 Front Desk Console provides automated
provisioning/de-provisioning in 30 sec.
 Allow Employees to create their own
guest accounts.
 Activation options
– Immediate activation
– Future activation
– Account duration time
– Activate on first login
 Choose any access method to
implement: Wireless, Wired, and VPN
 Track Users: Guests, Consultants,
Contractors.
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
11
Identity-based Access Control…
with Identity Engines
 Unified wired and wireless
 Vendor agnostic
 Highly available virtual appliance
 Robust guest management
 Granular policy engine
 Intelligent federated directories
 Simple affordable licensing
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
12
Identity Engines v8.0, What’s New
 Access Portal/Captive Portal
 Device Profiling
 CASE Client
 CASE Admin Console
 Radius Proxy
 Guest Manager Enhancement
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
13
Avaya Identity Engines
Access Portal Architecture
Access & Core Layer
Policy Decision
Identity Routing
802.1X
Authentication for
Employees
Wireless
DEVICE PROFILING
LDAP
Wired
Internet
Firewall
802.1X
Authentication for
Employees
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
RADIUS
Kerberos
IDE
Integration APIs
Context Awareness
Application Authentication
Consolidated LDAP & profile
Reporting and Analytics
Abstracted and Identity Routing
OUT
Managerment and Session Provisioning
ADMIN
HTTP Capturing
for Guest
RADIUS
Access Portal
IN
End-points
Active Directory
Novell/Oracle
Directory
Multi-factor
Authentication
14
Identity Engines Release 8.0
 Access Portal
– Access Portal that would facilitate network access to guest
devices supporting a full BYOD based access
– Access Portal will serve as a Captive Portal for wired and
wireless users and allow inline sessions for non 802.1x users
– Hosting place for CASE Client
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
15
Device Profiling
 What is it?
– A compact summary of software and hardware settings
collected from a remote computing device.
– Passive Profiling
– Active Profiling
 Why do we need it?
– To support the “Smart Phone” revolution
– Facilitates “Bring Your Own Device” (BYOD) Policies in
Enterprise Wireless LANs
 Idea
– A user trying to gain network access using personal or
unmanaged devices will be transitioned to an Access Portal
where the portal will learn the necessary device attributes
using various profiling technologies and update the Ignition
Server with the device information.
 Available ONLY on Identity Engines Access Portal
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
16
Identity Engines Release 8.0
 Device Profiling
– Administrator will be able to set the Access Portal to perform
device profiling of wired and wireless devices
– Device fingerprinting by extracting information from browser
provided data during login
– Devices Type, Devices Sub-Type, Device OS, Devices OS Version
– Devices attributes are sent to the Ignition Server for device
registration
 Device Auto-registration
– Auto-register of Guest Visitor and Employee Guest devices
– Device profiling of registering devices
– Auto-association of devices with guest / employee records in
Ignition Server
– Populating device records in Ignition Server with device profile
attributes:
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
17
CASE Client
 Client for Accessing the Secure Enterprise
 Automates client config for 802.1x and MS NAP
posture
 Easy user adoption of 801.1x based NAC
 No footprint on the Client device
 Al major browsers
 All windows flavours
 ActiveX or Java delivery
 Requires Access Portal
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
18
Identity Engines Release 8.0
 CASE Client for Accessing the Secure Enterprise
– Transient client to automate configuration of managed and unmanaged endpoint devices to participate in Network Access
Control:
– CASE auto-configuration of 802.1x on Windows devices
– CASE auto-configuration of MS-NAP on Windows devices
– Administrator will be able to create CASE packages to
accommodate various deployment needs:
– Wired
– Wireless
– Wired and Wireless
– Administrator will be able to set the CASE Client to set
configuration as revertible or not
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
19
What’s New in Guest Manager
Export/Import Configuration
 GM Import / Export Configuration feature , enables user to port
Guest Manager Configurations between multiple Guest Manager
Instances.
 These configurations include
 Appliance Configurations.
 Radius configurations.
 User Certificates.
 Tomcat Configurations (HTTP,SSL etc).
 User Preferences.
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
20
Identity Engines Release 8.0
 1-2-3 Easy Configuration
– pre-provisioned configuration file include sample configuration
an access policies
 RADIUS Proxy
– Facilitates easy integration with existing corporate RADIUS
server using realm based lookup
– Supports proxy-failover model using intelligent Identity routing
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
21
Identity Engines 8.0
Live Demo
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
22
Demo Guest; Server & Logical View
Wireless &
Wired users
Guest
Manager
& CASE
Ignition
Server
Active
Directory
(PDC)
Guest VRF
Access
Portal
Intranet
Firewall
Internet
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
23
Demo Guest; Server & Segments View
Wireless &
Wired users
Guest VRF
Internet
Ignition
Server
(IDE)
Guest
Manager
& CASE
Active
Directory
(PDC)
Firewall
Access
Portal
DMZ
Intranet
Out of Band Network
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
24
Logical: IP nets
VLAN 5 Voice 10.0.5.0/24
VLAN 100 Guest 10.0.10.0/24
VSP9000-1
VRF Voice
VLAN 200 Printer 10.0.20.0/24
VLAN 300 Branch10.0.30.0/24
VRF Guest
VLAN 500 Data 10.0.50.0/24
VSP9000-2 GRT / VRF0
VLAN 600 Server 10.0.60.0/24
VLAN 1000 Mgmt 10.0.100.0/24
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
25
Identity Engines Resources
 Support from Product Management
– Michiel Noordermeer/Markus Nikulski
– Email
mnoorder@avaya.com / nikulskimark@avaya.com
 30-Days Free Trial
– www.avaya.com/identitytrial
– Long term lab licenses available from product management
 Collateral
–
–
–
–
http://www.avaya.com/usa/product/identity-engines-portfolio
Brochures
Case Studies
Technical Configuration Guides
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
26
Identity Engines - 30-Days Free Trial
 IDEngines FULLY featured at URL: www.avaya.com/identitytrial
– Short registration form
– IDEngines licenses sent by email
 All modules are included
– Ignition Server SMALL
– MS-NAP
– TACACS+
– Guest Manager
– Analytics
 Evaluation deployment can be
upgraded to production deployment
simply by applying purchased
licenses
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
27
Plan for Success…with Avaya’s BYOD Solution
Identity-based
Network Access Control
Secure
Network & Device
security
Scalable
Optimized
Future-proof Wireless
For collaborative, real time
applications
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy.
29
Related documents
AVAYA- Mtg Intro Slides
AVAYA- Mtg Intro Slides
Advantel_IAUG Presentation
Advantel_IAUG Presentation
SMEC Promotions
SMEC Promotions
2014-06 WLAN 9100 Hardware Overview
2014-06 WLAN 9100 Hardware Overview
Avaya - Release Management
Avaya - Release Management
uwmedicine_contact_center_avaya_user_group
uwmedicine_contact_center_avaya_user_group
Avaya Contact Center Roadmap
Avaya Contact Center Roadmap
Download
advertisement