Bring Your Own Design: Implemen ng BYOD Without Going ...
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Bring Your Own Design: Implemen ng BYOD Without Going ...
Bring Your Own Design: Implemen4ng BYOD Without
Going Broke or Crazy
Eric Stresen-‐Reuter Technical Director Ruckus Wireless
What Enterprises REALLY Want
Getting users and devices
on the network
Enforcing user policies and
security
Managing and controlling
devices
Simple on-boarding
Automated enforcement of user/device policies
Visibility of who and what is on the WLAN
Extension of wired security to WLAN
More capacity to deal with flood of devices
Leverage existing infrastructure
What Enterprises REALLY Need
1 2 3 4 5 6
IDENTIFY • Device Profiling • Device Inventory • Inventory dashboard
BYOD Technology Circle
ONBOARD • Device registration • Zero-touch onboarding • Provisioning - Wi-Fi/VPN profile,
cert management
SECURE • Access control based on device
type/profile • Access control based on user
roles • Secure connectivity
MANAGE • Mobile Device Mgmt (MDM) • Mobile Application Mgmt (MAM)
What’s Driving Wireless?
o Cell phone use (18 – 34 year olds): o 91% take photos vs. 76% all adults o 61% play music vs. 33% all adults o 57% record a video vs. 34% all adults
--- Pew Internet and American Life Project, “Generations and their Gadgets”, February 3,
2011.
o 92% of undergrads use Wi-Fi vs. 57% of all adults
o 59% of undergrads own a desktop PC o 88% of undergrads own a laptop o 93% of graduate students own a laptop
--- Pew Internet and American Life Project, “College Students and technology”, July 19, 2011.
#1 Student’s Daily Lives are Media Rich!
What’s Driving Wireless?
o Friends on Facebook o Follow us on Twitter o Watch our YouTube video o Blog about college life o Digital media libraries o Video chat
#2 Collaboration and Social Media!
Network Use is Massively Increasing via Wi-Fi
What’s Driving Wireless?
o Accommodates learning styles o Reinforces classroom work o Meets students’ demand o Wish instructor used more often:
o Web-based videos 19% o Video sharing sites 18% o Podcasts and webcasts 17% o Simulations or educational games 15%
--- Grajek, S. “The Current State of College Students and Technology”, EDUCAUSE, 2011.
#3 Instructional Enhancement!
o Developed leading industrial grade Wi-Fi products and technology called Smart Wi-Fi o Adaptive RF control
(BeamFlex) o Predictive channel
selection(ChannelFly) o Resilient and self
optimized meshing (SmartMesh)
o Automatic user device configuration (Zero IT config)
o Dynamic Wi-Fi security (Dynamic pre-shared keys
9
What is Smart Wi-Fi?
RUCKUS PROPRIETARY AND CONFIDENTIAL
BeamFlex
Smart Wi-Fi Antenna
Arrays
What’s makes the difference? THEM US
Fixed 1:1 relationship between Wi-Fi radios and antennas
Dynamic 1:many relationship between Wi-Fi radios and antennas
Adaptive Antenna
▪ Completely automatic
▪ Continually picks best signal path to clients
▪ Mitigates interference
▪ Up to 10dB Signal gain
▪ Dual polarized
Dealing With Density
Dual-band 802.11n
• Steers clients to 5GHz by withholding probe and auth responses on 2.4GHz
• Doesn’t steer clients below RSSI threshold set per WLAN
• Client table in each AP tracks • Client probe requests per band • Avg. RSSI per band over last minute • Dual band support
• Table checked before responding to client
After Band Steering 5GHz – 14 (82%) 2.4GHz – 3 (18%)
Band Steering for High Capacity Environments Before Band Steering 5GHz – 3 (18%) 2.4GHz – 14 (82%)
2.4 Ghz
5.0 Ghz
Reliable Performance
AP models: Ruckus 7363, Cisco 3500, Aruba 125, HP 460, Meraki 24, Apple Extreme.
Ruckus Meraki
HP Cisco Aruba Apple
Downlink Mbps 0 20 40 60 80
1 client, 100’ 2.4 GHz No interference
Non Line of Sight Beating Interference Ruckus Meraki
HP Cisco Aruba Apple
Uplink Mbps 0 20 40 60 80
1 client, 70’ 5 GHz Line of sight
Ruckus HP
Aruba Cisco
Meraki Apple
Aggregate Bi-Directional Mbps 0
60 Clients, Bi-Directional
20 40 60 80 100
Failed to Finish
Failed to Finish
5 GHz 75% downlink 25% uplink
Ruckus HP
Aruba Cisco
Meraki Apple
Aggregate Uplink Mbps 0
60 Clients, Uplink
20 40 60 80 100
5 GHz
o Domain SSID o School owned / managed devices with access to all resources:
printers, applications, files shares
o Guest Visitor SSID o Users who are not in the OUI with access only to the internet
o Staff and Student BYOD SSID o Non-school owned / managed devices needing Internet access and
specified school resources, VLAN and content filtering applied
o Provisioning SSID o Hotspot with a walled garden attribute, redirecting all users to
an activation page
Defining the SSID Structure
Staff automatically placed on VLAN X, rate limited at 5 Mbps
User does NOT have account and is denied
DOMAIN
Automating Role-Based Access
STAFF
STUDENT
STRANGER
Student automatically placed on VLAN Y, rate limited at 1 Mbps
Administrator automatically placed on VLAN W, no rate limits
Allowed on via a Guest Pass, accepting terms and conditions automatically placed on VLAN Z, rate limited at 1 Mbps GUEST
What it Looks Like WHAT HAPPENS WHEN?
Internet
Guest
New BYOD Devices Provisioned BYOD Guest
User Database
Student Resources
Staff Resources
Guest Resources
Student SSID
Student
Staff SSID Guest SSID
(hotspot) Onboarding SSID
1. Users connect to a provisioning SSID and are re-directed to an onboarding portal.
2. Users enter domain credentials which are verified against a user database.
3. The user’s role assignment and permissions are automatically determined based on authentcaion.
4. Using Zero-IT, the device is auto-provisioned with a dynamic pre-shared key and dynamically assigned to the requisite WLAN.
5. Devices re-connect on a secure WLAN, receiving network permissions according to their role. Staff
IDENTIFY • Application Recognition • Client Fingerprinting
MANAGE • D-PSK limits per user • Extended Language Support • Bonjour Gateway • MDM
ONBOARD
SECURE • Secure LDAP • Application Policy Control • Enhanced Roles
Ruckus BYOD Solution
• On-boarding portal • Guest Access • Device Registration
• Mobile Friendly portal • Customizable Portal Pages
Zero IT Automates Onboarding
▪ Requirement: automatic, secure authentication and roaming
▪ Enabled by SSID and authorization protocol configuration
▪ Easy-to-use Ruckus approach to push configuration
▪ Uses mobile OS auto-detect and -authenticate features, not a separate connection manager app
Invitation Branded Landing
Page
‘One-Click’ Configuration
Automatic Authentication Enabled
BYOD SSID (open)
Proceed to unencrypted internet on BYOD SSID
Install Client Profile DPSK/802.1x
Role based SSID
Move Client to Secure SSID
Traditional Guest Access
Easy BYOD Registration
Single SSID for Guest Access & BYOD Registration
Limit DPSK generation per user
On-Boarding Portal A modern day, mobile friendly, easy-to-use Wi-Fi connection option!
WLAN profile configured device, and on the WLAN based on allowed by role.
D-PSK Automates Security/Config
LDAP sends user security
group information to ZD
ZD applies role, generates D-PSK
pushes dissolvable PROV file to device
o Visibility “Who’s device is this?”
o Self-registration o Automatically registers and maintains
client info on WLAN and Wired interfaces o Operating System o Operating System Hostname
o Control by device type o Permit/allow o Assign to VLAN o Rate limit (Down/Up)
o Management o WLAN controller or standalone o WLAN dashboard o Client monitor o Client details
Client Fingerprinting Hostname: Dave’s iPhone MAC: 50:ea:d6:7c:30:e4
o Segregates trusted and untrusted devices on single SSID
o Simplified access rules per device o n Windows n Windows Mobile o n Mac OS n iOS o n Linux n Android o n VoIP n Gaming o n Printers
o Control network access per device o Permit/Deny o Assign to VLAN o Rate Limit (Down/Up)
Device Specific Policy Enforcement
Device Type Access VLAN Rate Limit DL|UL
Gaming Deny - -
Windows, Mac OS, Linux Permit 20 -
iOS, Windows Mobile, Android Permit 10 4 Mb | 1 Mb
✖
VLAN 20 VLAN 10
Device Policy Access Control
INTERNET
Device-Specific Policy Enforcement VLAN 10 Resources
VLAN 20 Resources
VLAN 40 Resources
WHAT HAPPENS WHEN?
1. Configure device access policies (staff policy shown)
2. Configure WLANs with device-specific policies (staff WLAN shown)
3. Staff laptops (sanctioned Windows devices) connect and receive full network permissions
4. Staff iOS / Android devices connect, gain access to staff resources with some limits
5. All guest users receive the same Internet-only policies
6. Student laptops and tablets (sanctioned) connect and receive equal access to resources with rate limits
7. Students attempt to connect with non-sanctioned device types and are denied access
Staff SSID Guest SSID Student SSID
3 4 5 6 7
STAFF DEVICES STUDENT DEVICES GUESTS
All VLAN 99 1 Mbps
Laptop VLAN 10
No Rate Limit
iPad VLAN 20 5 Mbps
Android VLAN 20 5 Mbps
Laptops/iOS VLAN 40 3 Mbps
Others Blocked
1
2
BYOD How-To Guide & Videos
http://www.theruckusroom.net/
Step by Step guide to configuring Ruckus BYOD