Bring  Your  Own  Design:  Implemen4ng  BYOD  Without  

Going  Broke  or  Crazy  

Eric  Stresen-­‐Reuter  Technical  Director  Ruckus  Wireless  

RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL

Bring Your Own Design SIMPLIFYING BYOD WITH RUCKUS

What Enterprises REALLY Want

Getting users and devices

on the network

Enforcing user policies and

security

Managing and controlling

devices

Simple on-boarding

Automated enforcement of user/device policies

Visibility of who and what is on the WLAN

Extension of wired security to WLAN

More capacity to deal with flood of devices

Leverage existing infrastructure

What Enterprises REALLY Need

1 2 3 4 5 6

IDENTIFY •  Device Profiling •  Device Inventory •  Inventory dashboard

BYOD Technology Circle

ONBOARD •  Device registration •  Zero-touch onboarding •  Provisioning - Wi-Fi/VPN profile,

cert management

SECURE •  Access control based on device

type/profile •  Access control based on user

roles •  Secure connectivity

MANAGE •  Mobile Device Mgmt (MDM) •  Mobile Application Mgmt (MAM)

What’s Driving Wireless?

o Cell phone use (18 – 34 year olds): o 91% take photos vs. 76% all adults o 61% play music vs. 33% all adults o 57% record a video vs. 34% all adults

--- Pew Internet and American Life Project, “Generations and their Gadgets”, February 3,

2011.

o 92% of undergrads use Wi-Fi vs. 57% of all adults

o 59% of undergrads own a desktop PC o 88% of undergrads own a laptop o 93% of graduate students own a laptop

--- Pew Internet and American Life Project, “College Students and technology”, July 19, 2011.

#1 Student’s Daily Lives are Media Rich!

What’s Driving Wireless?

o Friends on Facebook o Follow us on Twitter o Watch our YouTube video o Blog about college life o Digital media libraries o Video chat

#2 Collaboration and Social Media!

Network Use is Massively Increasing via Wi-Fi

What’s Driving Wireless?

o Accommodates learning styles o Reinforces classroom work o Meets students’ demand o Wish instructor used more often:

o Web-based videos 19% o Video sharing sites 18% o Podcasts and webcasts 17% o Simulations or educational games 15%

--- Grajek, S. “The Current State of College Students and Technology”, EDUCAUSE, 2011.

#3 Instructional Enhancement!

o Developed leading industrial grade Wi-Fi products and technology called Smart Wi-Fi o Adaptive RF control

(BeamFlex) o Predictive channel

selection(ChannelFly) o Resilient and self

optimized meshing (SmartMesh)

o Automatic user device configuration (Zero IT config)

o Dynamic Wi-Fi security (Dynamic pre-shared keys

9

What is Smart Wi-Fi?

RUCKUS PROPRIETARY AND CONFIDENTIAL

BeamFlex

Smart Wi-Fi Antenna

Arrays

What’s makes the difference? THEM US

Fixed 1:1 relationship between Wi-Fi radios and antennas

Dynamic 1:many relationship between Wi-Fi radios and antennas

Adaptive Antenna

▪ Completely automatic

▪ Continually picks best signal path to clients

▪ Mitigates interference

▪ Up to 10dB Signal gain

▪ Dual polarized

Dealing With Density

Dual-band 802.11n

•  Steers clients to 5GHz by withholding probe and auth responses on 2.4GHz

•  Doesn’t steer clients below RSSI threshold set per WLAN

•  Client table in each AP tracks •  Client probe requests per band •  Avg. RSSI per band over last minute •  Dual band support

•  Table checked before responding to client

After Band Steering 5GHz – 14 (82%) 2.4GHz – 3 (18%)

Band  Steering    for  High  Capacity  Environments Before Band Steering 5GHz – 3 (18%) 2.4GHz – 14 (82%)

2.4 Ghz

5.0 Ghz

Reliable Performance

AP models: Ruckus 7363, Cisco 3500, Aruba 125, HP 460, Meraki 24, Apple Extreme.

Ruckus Meraki

HP Cisco Aruba Apple

Downlink Mbps 0 20 40 60 80

1 client, 100’ 2.4 GHz No interference

Non Line of Sight Beating Interference Ruckus Meraki

HP Cisco Aruba Apple

Uplink Mbps 0 20 40 60 80

1 client, 70’ 5 GHz Line of sight

Ruckus HP

Aruba Cisco

Meraki Apple

Aggregate Bi-Directional Mbps 0

60 Clients, Bi-Directional

20 40 60 80 100

Failed to Finish

Failed to Finish

5 GHz 75% downlink 25% uplink

Ruckus HP

Aruba Cisco

Meraki Apple

Aggregate Uplink Mbps 0

60 Clients, Uplink

20 40 60 80 100

5 GHz

RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL

Now what? SIMPLIFYING BYOD WITH RUCKUS

Don’t Reinvent the Wheel

FIREWALLS CONTENT FILTERS

AAA/AD/LDAP SERVERS

ACLs / VLANS

o Domain SSID o School owned / managed devices with access to all resources:

printers, applications, files shares

o Guest Visitor SSID o Users who are not in the OUI with access only to the internet

o Staff and Student BYOD SSID o Non-school owned / managed devices needing Internet access and

specified school resources, VLAN and content filtering applied

o Provisioning SSID o Hotspot with a walled garden attribute, redirecting all users to

an activation page

Defining the SSID Structure

Staff automatically placed on VLAN X, rate limited at 5 Mbps

User does NOT have account and is denied

DOMAIN

Automating Role-Based Access

STAFF

STUDENT

STRANGER

Student automatically placed on VLAN Y, rate limited at 1 Mbps

Administrator automatically placed on VLAN W, no rate limits

Allowed on via a Guest Pass, accepting terms and conditions automatically placed on VLAN Z, rate limited at 1 Mbps GUEST

What it Looks Like WHAT HAPPENS WHEN?

Internet

Guest

New BYOD Devices Provisioned BYOD Guest

User Database

Student Resources

Staff Resources

Guest Resources

Student SSID

Student

Staff SSID Guest SSID

(hotspot) Onboarding SSID

1. Users connect to a provisioning SSID and are re-directed to an onboarding portal.

2.  Users enter domain credentials which are verified against a user database.

3. The user’s role assignment and permissions are automatically determined based on authentcaion.

4. Using Zero-IT, the device is auto-provisioned with a dynamic pre-shared key and dynamically assigned to the requisite WLAN.

5. Devices re-connect on a secure WLAN, receiving network permissions according to their role. Staff

IDENTIFY •  Application Recognition •  Client Fingerprinting

MANAGE •  D-PSK limits per user •  Extended Language Support •  Bonjour Gateway •  MDM

ONBOARD

SECURE •  Secure LDAP •  Application Policy Control •  Enhanced Roles

Ruckus BYOD Solution

•  On-boarding portal •  Guest Access •  Device Registration

•  Mobile Friendly portal •  Customizable Portal Pages

RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL

Key Technologies SIMPLIFYING BYOD WITH RUCKUS

Zero IT Automates Onboarding

▪ Requirement: automatic, secure authentication and roaming

▪  Enabled by SSID and authorization protocol configuration

▪  Easy-to-use Ruckus approach to push configuration

▪ Uses mobile OS auto-detect and -authenticate features, not a separate connection manager app

Invitation Branded Landing

Page

‘One-Click’ Configuration

Automatic Authentication Enabled

BYOD SSID (open)

Proceed to unencrypted internet on BYOD SSID

Install Client Profile DPSK/802.1x

Role based SSID

Move Client to Secure SSID

Traditional Guest Access

Easy BYOD Registration

Single SSID for Guest Access & BYOD Registration

Limit DPSK generation per user

On-Boarding Portal A modern day, mobile friendly, easy-to-use Wi-Fi connection option!

WLAN profile configured device, and on the WLAN based on allowed by role.

D-PSK Automates Security/Config

LDAP sends user security

group information to ZD

ZD applies role, generates D-PSK

pushes dissolvable PROV file to device

o Visibility “Who’s device is this?”

o Self-registration o Automatically registers and maintains

client info on WLAN and Wired interfaces o Operating System o Operating System Hostname

o Control by device type o Permit/allow o Assign to VLAN o Rate limit (Down/Up)

o Management o WLAN controller or standalone o WLAN dashboard o Client monitor o Client details

Client Fingerprinting Hostname: Dave’s iPhone MAC: 50:ea:d6:7c:30:e4

o Segregates trusted and untrusted devices on single SSID

o Simplified access rules per device o n Windows n Windows Mobile o n Mac OS n iOS o n Linux n Android o n VoIP n Gaming o n Printers

o Control network access per device o Permit/Deny o Assign to VLAN o Rate Limit (Down/Up)

Device Specific Policy Enforcement

Device Type Access VLAN Rate Limit DL|UL

Gaming Deny - -

Windows, Mac OS, Linux Permit 20 -

iOS, Windows Mobile, Android Permit 10 4 Mb | 1 Mb

✖

VLAN 20 VLAN 10

Device Policy Access Control

INTERNET

Device-Specific Policy Enforcement VLAN 10 Resources

VLAN 20 Resources

VLAN 40 Resources

WHAT HAPPENS WHEN?

1.  Configure device access policies (staff policy shown)

2. Configure WLANs with device-specific policies (staff WLAN shown)

3. Staff laptops (sanctioned Windows devices) connect and receive full network permissions

4. Staff iOS / Android devices connect, gain access to staff resources with some limits

5. All guest users receive the same Internet-only policies

6. Student laptops and tablets (sanctioned) connect and receive equal access to resources with rate limits

7. Students attempt to connect with non-sanctioned device types and are denied access

Staff SSID Guest SSID Student SSID

3 4 5 6 7

STAFF DEVICES STUDENT DEVICES GUESTS

All VLAN 99 1 Mbps

Laptop VLAN 10

No Rate Limit

iPad VLAN 20 5 Mbps

Android VLAN 20 5 Mbps

Laptops/iOS VLAN 40 3 Mbps

Others Blocked

1

2

BYOD How-To Guide & Videos

http://www.theruckusroom.net/

Step by Step guide to configuring Ruckus BYOD

RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL

Questions. info@ruckuswireless.com