Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | ira-sherman |
View: | 224 times |
Download: | 2 times |
Authenticated Network Architecture
Michael Knabb
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2
Then came this!
Office Tools started here:
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 3
TIME’s Person of the Year: YOU
Android appsiPhone appsTablets in 2012SmartphonesSocial Media Users
100 000350 000
75 000 000800 000 000
1 200 000 000
Tablet market $45B by 2014– Yankee 2011
50% Enterprise users interested in or using consumer applications– Yankee 2011
Smartphone app revenue to triple by 2014– Yankee 2011
The before is history…
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 4
NO you cannot bring your iPadNO you cannot connect outdoorNO you cannot bring your fancy laptopNO you cannot do video conferencing
It is about saying YES!but…staying on control
YES bring your own iPadYES you are welcome to do mobile collaborationYES you are welcome to use virtual desktopYES you are welcome to use Wifi VOIP
It is not About Saying No!!
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 55
70% of new enterprise users by 2013, will be wireless by default and wired by exception (Gartner)
• Average three to five devices per user each requiring capacity and contributing to the density
By 2015, 80% of newly installed wireless networks will be obsolete because of a lack of proper planning (Gartner)
• New context-rich applications requiring more bandwidth
• iPad deployments could need 300% more Wi-Fi
Where is the market going?
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 66
Cost of Change - Operations Cost Reduction
Each wired or wireless access port is not assigned until a user/device attempts access. At that point it is given the appropriate level of access.
Direct annual TCO savings just by avoiding simple VLAN changes.
Indirect TCO saving just by avoiding network outages following manual configuration changes.
IP PhoneVisitor or Business Partner
Personal Machine
Corporate Desktop
Network Printer
Network Device
Wireless Access Point
Surveillance Camera
Fax Machine
Medical Device
Local Server/App
Guests & Guest Devices
EnterpriseNetwork
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 77
NET
WO
RK A
BSTR
ACTI
ON
LAY
ER
DIR
ECTO
RY A
BSTR
ACTI
ON
LAY
ER
Reporting & Analytics
Posture Assessment
Guest Access Mgmt
Identity Engines
Captive Portal (v8.0)
CASE (v8.0)
PolicyEnforcement Point
PolicyDecision Point
PolicyInformation Point
Identity EnginesAuthenticated Network Architecture
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 8
AuthorizationRequest
Checkaccess device
Checkaccess medium
Checkidentity stores
Access ScriptExample 1
If device = “managed”
If medium = “wired”
If identity = “HR employee”thengrant full network access
Identity-based Access Control…with Identity Engines
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 9
AuthorizationRequest
Checkaccess device
Checkaccess medium
Checkidentity stores
Access ScriptExample 2
If device = “iPad”
If medium = “wireless”
If identity = “HR employee”thengrant limited access
Identity-based Access Control…with Identity Engines
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1010
Identity Engines Flexible Policy Engines
Extensive Loggingfor each access attempt
Identity Engines through the policies, basicallyanswers the question: Are you one of mine?
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1111
Identity Engines Guest Manager
Identity Engines Guest Manager is a web application that lets front desk staff create and manage temporary network accounts for visitors.
Front Desk Console provides automated provisioning/de-provisioning in 30 sec.
Allow Employees to create their own guest accounts.
Activation options– Immediate activation– Future activation– Account duration time– Activate on first login
Choose any access method to implement: Wireless, Wired, and VPN
Track Users: Guests, Consultants, Contractors.
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 12
Unified wired and wireless
Vendor agnostic
Highly available virtual appliance
Robust guest management
Granular policy engine
Intelligent federated directories
Simple affordable licensing
Identity-based Access Control…with Identity Engines
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1313
Identity Engines v8.0, What’s New
Access Portal/Captive Portal
Device Profiling
CASE Client CASE Admin Console
Radius Proxy
Guest Manager Enhancement
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1414
Access & Core Layer Policy Decision Identity Routing
Ma
na
ge
rme
nt
an
d S
ess
ion
Pro
visi
on
ing
Ab
stra
cte
d a
nd
Id
en
tity
Ro
utin
g
LDAP
Kerberos
Integration APIs
Active Directory
Multi-factor Authentication
Context Awareness
Application Authentication
Reporting and Analytics
RA
DIU
S
Novell/Oracle Directory
End-points
IDE
Consolidated LDAP & profile
Wireless
OUT
Firewall
Wired
IN
AD
MIN
Internet
Access Portal
HT
TP
Ca
ptu
rin
g
for
Gu
est
802.1X Authentication for
Employees
RADIUS
802.1X Authentication for
Employees
D E
V I
C E
P
R O
F I
L I N
G
Avaya Identity EnginesAccess Portal Architecture
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1515
Identity Engines Release 8.0
Access Portal– Access Portal that would facilitate network access to guest
devices supporting a full BYOD based access
– Access Portal will serve as a Captive Portal for wired and wireless users and allow inline sessions for non 802.1x users
– Hosting place for CASE Client
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1616
Device Profiling
What is it?– A compact summary of software and hardware settings
collected from a remote computing device.– Passive Profiling– Active Profiling
Why do we need it?– To support the “Smart Phone” revolution– Facilitates “Bring Your Own Device” (BYOD) Policies in
Enterprise Wireless LANs Idea
– A user trying to gain network access using personal or unmanaged devices will be transitioned to an Access Portal where the portal will learn the necessary device attributes using various profiling technologies and update the Ignition Server with the device information.
Available ONLY on Identity Engines Access Portal
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1717
Identity Engines Release 8.0
Device Profiling– Administrator will be able to set the Access Portal to perform
device profiling of wired and wireless devices
– Device fingerprinting by extracting information from browser provided data during login
– Devices Type, Devices Sub-Type, Device OS, Devices OS Version
– Devices attributes are sent to the Ignition Server for device registration
Device Auto-registration– Auto-register of Guest Visitor and Employee Guest devices
– Device profiling of registering devices
– Auto-association of devices with guest / employee records in Ignition Server
– Populating device records in Ignition Server with device profile attributes:
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1818
CASE Client
Client for Accessing the Secure Enterprise
Automates client config for 802.1x and MS NAP posture
Easy user adoption of 801.1x based NAC
No footprint on the Client device
Al major browsers
All windows flavours
ActiveX or Java delivery
Requires Access Portal
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 1919
Identity Engines Release 8.0
CASE Client for Accessing the Secure Enterprise– Transient client to automate configuration of managed and un-
managed endpoint devices to participate in Network Access Control:
– CASE auto-configuration of 802.1x on Windows devices– CASE auto-configuration of MS-NAP on Windows devices
– Administrator will be able to create CASE packages to accommodate various deployment needs:
– Wired– Wireless– Wired and Wireless
– Administrator will be able to set the CASE Client to set configuration as revertible or not
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2020
What’s New in Guest ManagerExport/Import Configuration
GM Import / Export Configuration feature , enables user to port Guest Manager Configurations between multiple Guest Manager Instances.
These configurations include Appliance Configurations. Radius configurations. User Certificates. Tomcat Configurations (HTTP,SSL etc). User Preferences.
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2121
Identity Engines Release 8.0
1-2-3 Easy Configuration– pre-provisioned configuration file include sample configuration
an access policies
RADIUS Proxy– Facilitates easy integration with existing corporate RADIUS
server using realm based lookup
– Supports proxy-failover model using intelligent Identity routing
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 22
Identity Engines 8.0
Live Demo
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 23
Ignition Server
Guest Manager & CASE
Active Directory
(PDC)
Demo Guest; Server & Logical View
Guest VRF
Intranet
Internet
Wireless & Wired users
Access Portal
Firewall
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 24
Ignition Server(IDE)
Guest Manager & CASE
Active Directory
(PDC)
Demo Guest; Server & Segments View
Guest VRF
InternetWireless &
Wired users
Access Portal
Firewall
DMZ
Intranet
Out of Band Network
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 25
Logical: IP nets
VLAN 5 Voice 10.0.5.0/24
VLAN 100 Guest 10.0.10.0/24
VLAN 200 Printer 10.0.20.0/24
VLAN 500 Data 10.0.50.0/24
VLAN 1000 Mgmt 10.0.100.0/24
VLAN 600 Server 10.0.60.0/24VSP9000-2
VSP9000-1
VRF Voice
VRF Guest
GRT / VRF0
VLAN 300 Branch10.0.30.0/24
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2626
Identity Engines Resources Support from Product Management
– Michiel Noordermeer/Markus Nikulski
– Email [email protected] / [email protected]
30-Days Free Trial– www.avaya.com/identitytrial
– Long term lab licenses available from product management
Collateral– http://www.avaya.com/usa/product/identity-engines-portfolio
– Brochures
– Case Studies
– Technical Configuration Guides
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 2727
Identity Engines - 30-Days Free Trial
IDEngines FULLY featured at URL: www.avaya.com/identitytrial– Short registration form
– IDEngines licenses sent by email
All modules are included– Ignition Server SMALL
– MS-NAP
– TACACS+
– Guest Manager
– Analytics
Evaluation deployment can beupgraded to production deploymentsimply by applying purchasedlicenses
Avaya - Proprietary. Use pursuant to your signed agreement or Avaya policy. 29
ScalableFuture-proof Wireless
Identity-basedNetwork Access Control
OptimizedFor collaborative, real time applications
Secure Network & Device security
Plan for Success…with Avaya’s BYOD Solution