Transcript guest management - Washington Learning Source

The challenge and solution for
BYOD
Bruce Lurie, Territory Sales Manager
Meru Confidential
The Direction of Education
2
PROPRIETARY AND CONFIDENTIAL
> Users want to
connect more
than just PC’s
> Both Institution
and Personally
Owned Devices
Diversity of Devices
WI-FI NETWORK ACCESS
IS CHANGING…
Mission
Critical
WLAN for
Casual Use
Diversity of Users
> Collaboration requires access for
3
PROPRIETARY AND CONFIDENTIAL
• Employees
• Students
• Guests
• Consultants
…AND WITH IT
BRINGS NEW IT CHALLENGES
1. How Do You Provision Secure Network
Access For Bring Your Own Device (BYOD)
•
Under IT policies/control
•
Efficient / Cost-effective
•
Reduce reliance on IT
2. How Do You Provision Secure Network
Access For New Types of User
4
•
Efficiently - requiring no IT interaction
•
Flexibly – Get users on the network quickly
•
Traceable – Be able to fully audit network use
PROPRIETARY AND CONFIDENTIAL
INTRODUCING IDENTITY MANAGER –
SOLVING THE KEY PROBLEMS
> Guest Management
• Delivers secure, scalable wireless network access for guests,
employees and their mobile devices.
• Less reliance on IT while enforcing the policies set forth by IT
> Smart Connect
• Solves the greatest to barrier to secure connectivity adoption
• Provision client devices for secure 802.1x based on predetermined IT policy
> Guest Management + Smart Connect
• Addresses BYOD (Bring Your Own Device) for IT
5
PROPRIETARY AND CONFIDENTIAL
GUEST MANAGEMENT
6
PROPRIETARY AND CONFIDENTIAL
THE GUEST NETWORK –
ENTERPRISE & PUBLIC HOTSPOTS
A Guest Network is used to provide network access
for external users
> Enable improved productivity from
suppliers and contractors
> Strengthen collaboration between
faculty and students
> Becoming critical in education
conferences
> Presents a professional image to
visitors and customers
7
PROPRIETARY AND CONFIDENTIAL
THE CHALLENGES OF DEPLOYING A
GUEST NETWORK
> How do you:
> Easily create user accounts?
> Provide the details to your
guests?
> Give different levels of
access?
> Audit and Record everything
that happens?
> Meet your security
requirements?
8
PROPRIETARY AND CONFIDENTIAL
INTRODUCING GUEST MANAGEMENT
WITH IDENTITY MANAGER
9
PROPRIETARY AND CONFIDENTIAL
PROVISIONING
> Who should create user accounts?
• Receptionist/Lobby Ambassador
• IT Security
• Managers
• Help Desk
• Anyone
> Identity Manager lets you choose
based upon your security policy
> Allowing anyone to create accounts provides
increased usage and will be just as secure
10
 Reduced Cost
 Full Audit Trail
PROPRIETARY AND CONFIDENTIAL
 Speed of access
 Ease of use
PROVISIONING USING THE
SPONSOR PORTAL
> Policy Based Sponsor Portal for internal users
> Full Web or Smartphone Sponsor Interface available
> Authenticate with corporate credentials
• Local Database
• Active Directory
• LDAP
• RADIUS
• Kerberos
• Client Certificates
11
PROPRIETARY AND CONFIDENTIAL
CREATING GUEST ACCOUNTS
1. Enter user details
2. Specify the
account length
3. Add user
12
PROPRIETARY AND CONFIDENTIAL
NOTIFYING GUESTS
Send account
information via
print-out, email, or
SMS text message
13
PROPRIETARY AND CONFIDENTIAL
CUSTOMIZABLE GUEST PORTALS
Login
Welcome to our
guest hotspot!
Credit Card
Guest Self Registration
14
PROPRIETARY AND CONFIDENTIAL
Password
Change
Fully customize this page and add the
components you want!
POLICY BASED GUEST PORTALS
> Dynamically generate guest portal based upon your policy using:
Location
Language
Device
15
IP Address
Time of Day
OS
PROPRIETARY AND CONFIDENTIAL
Cookies
Web Browser
Mobile Device
HTTP Header
GET Parameter
POST Parameter
MANAGEMENT AND REPORTING
Visibility and Management of Guest Users
16
Sponsor
Information
PROPRIETARY AND CONFIDENTIAL
Guest
Information
Account
Management
GUEST ACTIVITY REPORTING
Internet
Username: guestname
IP Address: 192.168.1.1
Login Time: 11:30
Logout Time: 12:15
17
11:37 192.168.1.1 accessed
http://www.google.com
11:38 192.168.1.1 used
the bittorrent protocol
12:09 192.168.1.1 connected
to vpn.mycompany.com
Consolidated Audit Report of Guest Activity
PROPRIETARY AND CONFIDENTIAL
COMPLETE AUDIT OF GUEST ACTIVITY
> When they logged in
> Where they logged in
> The guests address
> What they did
> What was allowed
> What was disallowed
18
PROPRIETARY AND CONFIDENTIAL
MANAGEMENT REPORTS
FULL CUSTOMIZED MANAGEMENT REPORTING OF THE GUEST NETWORK
19
PROPRIETARY AND CONFIDENTIAL
SMART CONNECT
20
PROPRIETARY AND CONFIDENTIAL
THE CHALLENGES OF
CONSUMERIZATION
> Setup Connectivity without
assistance?
• Self Service Provisioning
• Remove IT overhead
• Quick easy access made secure
> Differentiate between
corporate and personal
devices?
• Grant different levels of network
access
• Enforce policies (password set,
device locked etc)
21
PROPRIETARY AND CONFIDENTIAL
TRADITIONAL UNENCRYPTED
GUEST NETWORKS
> Traditionally Guest Networks are built with
• web authentication
• no encryption
Unencrypted
Internet
Access Point
Web Authentication
Wireless Controller
> Lack of encryption means once you connect everyone can
see your traffic
> In addition Web Authentication is easy, but not seamless
• You need to open a web browser and enter a username/password
• On the other hand 802.1x happens automatically in the background
22
PROPRIETARY AND CONFIDENTIAL
802.1X IS THE ANSWER, BUT…
802.1x (WPA/WPA2) is hard to configure on
clients
4. Trust the server
2. Select
your protocol
1. Connect to
a network
5. Choose
how you
send your
username
3. Select the
EAP type
23
PROPRIETARY AND CONFIDENTIAL
certificate (lets
hope its installed
already)
AUTOMATED CLIENT CONFIGURATION
WITH SMARTCONNECT
Access Point
1. Authenticate using web
authentication
2. Download an applet 3. Automatically connect
to configure 802.1x
with 802.1x
Identity Manager automates the configuration through
a downloadable agent from the guest portal
Supported Today:
24
PROPRIETARY AND CONFIDENTIAL
Windows
iPad/iPhone
Apple Mac
Android
More
to
Come…
WALKTHROUGH
STEP 1 – INITIAL CONNECTION
Identity
Manager
Access
Point
Wireless Controller
1. User connects to “provisioning” or “guest” SSID
2. Opens their web browser and gets redirected to the Identity
Manager by the captive portal on the Wireless controller.
3. The Identity Manager works out that an iPad (or any device) has
connected and displays a web portal designed for that device.
25
PROPRIETARY AND CONFIDENTIAL
WALKTHOUGH
STEP 2 - PROVISIONING
1.
User enters AD
authentication
2.
Identity Manager
verifies it on
PROPRIETARY AND CONFIDENTIAL
corporate AD
26
3.
Identity Manager
delivers an iPad
Profile
4.
User accepts and
install it
5.
User reconnects
to the network
using enterprise
settings
WALKTHROUGH
STEP 3 – CONNECT SECURELY
• Now the device connects automatically at every
access
• Communication secured by WPA Enterprise
802.1x
• Authentication against Identity Manager or
Enterprise RADIUS
Identity
Manager
802.1x
Access
Point
27
PROPRIETARY AND CONFIDENTIAL
RADIUS
Wireless Controller
POLICY CONTROL
Now you have devices connected you can
apply policy to them
• Where can they do?
• Full Role Based Access Control
• Per User Firewall rules, VLAN assignments
etc
• Policies by user or device
• Different for corporate device vs personal
device
• When and Where
• Where can they access from
• Time of Day Restrictions
28
PROPRIETARY AND CONFIDENTIAL
TYPICAL DEPLOYMENT
Meru Controller
Internet
wireless
or
wired
Username: guestname
IP Address: 192.168.1.1
Login Time: 11:30
Logout Time: 12:15
Out of Band
Meru
Identity
Manager
29
PROPRIETARY AND CONFIDENTIAL
DEPLOYMENT OPTIONS
VMware Virtual Appliance
Meru Services Appliance
Installs into a VMware virtual machine
running on VMware Server, ESX or ESXi
Supported on SA200 and SA2000
Licensed by Concurrent users for each feature:
Guest Management & SmartConnect
Scalable from Fifty Users to Thousands
Active/Active High availability supported between any two nodes
30
PROPRIETARY AND CONFIDENTIAL
LICENSING OVERVIEW
> Identity Manager
• Customer purchased hardware
(SA200/2000) or VMware base SKU
• License-able Features added to the
Identity Manager platform to turn on
features on a concurrent user basis
Identity Manager
Guest
Management
Smart
Connect
Other
license-able
features
> Guest Management
• Licensed by concurrent guest users at any one time
> Smart Connect
• Licensed by active users who have been setup by Smart Connect
31
PROPRIETARY AND CONFIDENTIAL
NEW MAJOR FEATURES
> Smart Connect for MAC OSX
• Full downloadable application supports 10.5, 10.6, 10.7
> Smart Connect for Ubuntu Linux
• Supports 11.04 and later
> Smart Connect for Kindle Fire
• Supports Amazon Fire for 802.1X configuration
> Advanced Authorization Policy
• Wizard based setup
• Allows complex rules to be built (such as is user an employee and
the device corporate owned)
32
PROPRIETARY AND CONFIDENTIAL
Thank you
33
PROPRIETARY AND CONFIDENTIAL