authenticated network architecture michael knabb

Authenticated Network Architecture

Michael Knabb

Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2

Then came this!

Office Tools started here:


TIME’s Person of the Year: YOU

Android appsiPhone appsTablets in 2012SmartphonesSocial Media Users

100 000350 000

75 000 000800 000 000

1 200 000 000

Tablet market $45B by 2014– Yankee 2011

50% Enterprise users interested in or using consumer applications– Yankee 2011

Smartphone app revenue to triple by 2014– Yankee 2011

The before is history…


NO you cannot bring your iPadNO you cannot connect outdoorNO you cannot bring your fancy laptopNO you cannot do video conferencing

It is about saying YES!but…staying on control

YES bring your own iPadYES you are welcome to do mobile collaborationYES you are welcome to use virtual desktopYES you are welcome to use Wifi VOIP

It is not About Saying No!!


70% of new enterprise users by 2013, will be wireless by default and wired by exception (Gartner)

• Average three to five devices per user each requiring capacity and contributing to the density

By 2015, 80% of newly installed wireless networks will be obsolete because of a lack of proper planning (Gartner)

• New context-rich applications requiring more bandwidth

• iPad deployments could need 300% more Wi-Fi

Where is the market going?


Cost of Change - Operations Cost Reduction

Each wired or wireless access port is not assigned until a user/device attempts access. At that point it is given the appropriate level of access.

Direct annual TCO savings just by avoiding simple VLAN changes.

Indirect TCO saving just by avoiding network outages following manual configuration changes.

IP PhoneVisitor or Business Partner

Personal Machine

Corporate Desktop

Network Printer

Network Device

Wireless Access Point

Surveillance Camera

Fax Machine

Medical Device

Local Server/App

Guests & Guest Devices

EnterpriseNetwork

http://www.wpclipart.com/computer/hardware/networking/wireless_access_point.png

http://www.wpclipart.com/computer/hardware/networking/wireless_access_point.png

http://dir.coolclips.com/Business/Metaphors_O_to_Z/Security/Video_Surveillance/surveillance_camera_vc031682.html

http://dir.coolclips.com/Business/Metaphors_O_to_Z/Security/Video_Surveillance/surveillance_camera_vc031682.html


NET

WO

RK A

BSTR

ACTI

ON

LAY

ER

DIR

ECTO

RY A

BSTR

ACTI

ON

LAY

ER

Reporting & Analytics

Posture Assessment

Guest Access Mgmt

Identity Engines

Captive Portal (v8.0)

CASE (v8.0)

PolicyEnforcement Point

PolicyDecision Point

PolicyInformation Point

Identity EnginesAuthenticated Network Architecture


AuthorizationRequest

Checkaccess device

Checkaccess medium

Checkidentity stores

Access ScriptExample 1

If device = “managed”

If medium = “wired”

If identity = “HR employee”thengrant full network access

Identity-based Access Control…with Identity Engines


AuthorizationRequest

Checkaccess device

Checkaccess medium

Checkidentity stores

Access ScriptExample 2

If device = “iPad”

If medium = “wireless”

If identity = “HR employee”thengrant limited access



Identity Engines Flexible Policy Engines

Extensive Loggingfor each access attempt

Identity Engines through the policies, basicallyanswers the question: Are you one of mine?


Identity Engines Guest Manager

Identity Engines Guest Manager is a web application that lets front desk staff create and manage temporary network accounts for visitors.

Front Desk Console provides automated provisioning/de-provisioning in 30 sec.

Allow Employees to create their own guest accounts.

Activation options– Immediate activation– Future activation– Account duration time– Activate on first login

Choose any access method to implement: Wireless, Wired, and VPN

Track Users: Guests, Consultants, Contractors.


Unified wired and wireless

Vendor agnostic

Highly available virtual appliance

Robust guest management

Granular policy engine

Intelligent federated directories

Simple affordable licensing



Identity Engines v8.0, What’s New

Access Portal/Captive Portal

Device Profiling

CASE Client CASE Admin Console

Radius Proxy

Guest Manager Enhancement


Access & Core Layer Policy Decision Identity Routing

Ma

na

ge

rme

nt

an

d S

ess

ion

Pro

visi

on

ing

Ab

stra

cte

d a

nd

Id

en

tity

Ro

utin

g

LDAP

Kerberos

Integration APIs

Active Directory

Multi-factor Authentication

Context Awareness

Application Authentication

Reporting and Analytics

RA

DIU

S

Novell/Oracle Directory

End-points

IDE

Consolidated LDAP & profile

Wireless

OUT

Firewall

Wired

IN

AD

MIN

Internet

Access Portal

HT

TP

Ca

ptu

rin

g

for

Gu

est

802.1X Authentication for

Employees

RADIUS

802.1X Authentication for

Employees

D E

V I

C E

P

R O

F I

L I N

G

Avaya Identity EnginesAccess Portal Architecture


Identity Engines Release 8.0

Access Portal– Access Portal that would facilitate network access to guest

devices supporting a full BYOD based access

– Access Portal will serve as a Captive Portal for wired and wireless users and allow inline sessions for non 802.1x users

– Hosting place for CASE Client


Device Profiling

What is it?– A compact summary of software and hardware settings

collected from a remote computing device.– Passive Profiling– Active Profiling

Why do we need it?– To support the “Smart Phone” revolution– Facilitates “Bring Your Own Device” (BYOD) Policies in

Enterprise Wireless LANs Idea

– A user trying to gain network access using personal or unmanaged devices will be transitioned to an Access Portal where the portal will learn the necessary device attributes using various profiling technologies and update the Ignition Server with the device information.

Available ONLY on Identity Engines Access Portal



Device Profiling– Administrator will be able to set the Access Portal to perform

device profiling of wired and wireless devices

– Device fingerprinting by extracting information from browser provided data during login

– Devices Type, Devices Sub-Type, Device OS, Devices OS Version

– Devices attributes are sent to the Ignition Server for device registration

Device Auto-registration– Auto-register of Guest Visitor and Employee Guest devices

– Device profiling of registering devices

– Auto-association of devices with guest / employee records in Ignition Server

– Populating device records in Ignition Server with device profile attributes:


CASE Client

Client for Accessing the Secure Enterprise

Automates client config for 802.1x and MS NAP posture

Easy user adoption of 801.1x based NAC

No footprint on the Client device

Al major browsers

All windows flavours

ActiveX or Java delivery

Requires Access Portal



CASE Client for Accessing the Secure Enterprise– Transient client to automate configuration of managed and un-

managed endpoint devices to participate in Network Access Control:

– CASE auto-configuration of 802.1x on Windows devices– CASE auto-configuration of MS-NAP on Windows devices

– Administrator will be able to create CASE packages to accommodate various deployment needs:

– Wired– Wireless– Wired and Wireless

– Administrator will be able to set the CASE Client to set configuration as revertible or not


What’s New in Guest ManagerExport/Import Configuration

GM Import / Export Configuration feature , enables user to port Guest Manager Configurations between multiple Guest Manager Instances.

These configurations include Appliance Configurations. Radius configurations. User Certificates. Tomcat Configurations (HTTP,SSL etc). User Preferences.



1-2-3 Easy Configuration– pre-provisioned configuration file include sample configuration

an access policies

RADIUS Proxy– Facilitates easy integration with existing corporate RADIUS

server using realm based lookup

– Supports proxy-failover model using intelligent Identity routing


Identity Engines 8.0

Live Demo


Ignition Server

Guest Manager & CASE

Active Directory

(PDC)

Demo Guest; Server & Logical View

Guest VRF

Intranet

Internet

Wireless & Wired users

Access Portal

Firewall


Ignition Server(IDE)

Guest Manager & CASE

Active Directory

(PDC)

Demo Guest; Server & Segments View

Guest VRF

InternetWireless &

Wired users

Access Portal

Firewall

DMZ

Intranet

Out of Band Network


Logical: IP nets

VLAN 5 Voice 10.0.5.0/24

VLAN 100 Guest 10.0.10.0/24

VLAN 200 Printer 10.0.20.0/24

VLAN 500 Data 10.0.50.0/24

VLAN 1000 Mgmt 10.0.100.0/24

VLAN 600 Server 10.0.60.0/24VSP9000-2

VSP9000-1

VRF Voice

VRF Guest

GRT / VRF0

VLAN 300 Branch10.0.30.0/24


Identity Engines Resources Support from Product Management

– Michiel Noordermeer/Markus Nikulski

– Email [email protected] / [email protected]

30-Days Free Trial– www.avaya.com/identitytrial

– Long term lab licenses available from product management

Collateral– http://www.avaya.com/usa/product/identity-engines-portfolio

– Brochures

– Case Studies

– Technical Configuration Guides

mailto:[email protected]

mailto:[email protected]

http://www.avaya.com/identitytrial

http://www.avaya.com/usa/product/identity-engines-portfolio


Identity Engines - 30-Days Free Trial

IDEngines FULLY featured at URL: www.avaya.com/identitytrial– Short registration form

– IDEngines licenses sent by email

All modules are included– Ignition Server SMALL

– MS-NAP

– TACACS+

– Guest Manager

– Analytics

Evaluation deployment can beupgraded to production deploymentsimply by applying purchasedlicenses


ScalableFuture-proof Wireless

Identity-basedNetwork Access Control

OptimizedFor collaborative, real time applications

Secure Network & Device security

Plan for Success…with Avaya’s BYOD Solution

authenticated network architecture michael knabb

Documents