School SSID – easy – the school owns all devices – 100% control – only those devices have access to the resources, anti-virus control, device imaging control, etc., behind the firewallGuest SSID – Also easy – guests have access to only the internet – BYOD SSID – This is where it gets interesting…because you have teachers and students bringing in their own devices – Teachers needing access to specific resources, students needing access to specific resources.
BYOD - Ruckus way. Right way.
Bring Your Own DesignSIMPLIFYING BYOD WITH RUCKUS RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
What Enterprises REALLY Want 1 Simple onboarding 2 Automated enforcement of user policies 3 Visibility of who and what is on the WLAN 4 Extension of wired security to WLAN 5 More capacity to deal with flood of devices 6 Leverage existing infrastructure3 | Meeting Name
Don’t Reinvent the Wheel FIREWALLS CONTENT AAA ACLs / VLANS FILTERS SERVERS4 | Meeting Name
Now What?SIMPLIFYING BYOD WITH RUCKUS RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
Defining the SSID Structure ▪ DOMAIN SSID ▪ School owned / managed devices with access to all resources: printers, applications, files shares ▪ Guest Visitor SSID ▪ Users who are not in the OUI with access only to the internet ▪ Staff and Student BYOD SSID ▪ Non-school owned / managed devices needing Internet access and specified school resources, VLAN and content filtering applied ▪ Provisioning SSID ▪ Hotspot with a walled garden attribute, redirecting all users to an activation page6 | Meeting Name
Automating Role-Based Access DOMAIN Administrator automatically placed on VLAN W, no rate limits GUEST Allowed on via a Guest Pass, accepting terms and conditions automatically placed on VLAN Z, rate limited at 1 Mbps STAFF Staff automatically placed on VLAN X, rate limited at 5 Mbps STUDENT Student automatically placed on VLAN Y, rate limited at 1 Mbps STRANGER User does NOT have account and is denied7 | Meeting Name
How to BYOD with Ruckus 1 Unknown device associates with provisioning SSID 2 User challenged to authenticate 3 ZD queries LDAP (AAA domain) 4 User placed into requisite role based on security group membership, VLAN dynamically assigned 5 Unique dynamic PSK automatically generated, bound with device and pushed to client 6 Policies applied per role and VLAN membership8 | Meeting Name
What it Looks Like WHAT HAPPENS WHEN? User Student Staff Guest Database Resources Resources Resources 1. Users connect to a provisioning SSID and are re-directed to an Internet onboarding portal. 2. Users enter domain credentials which are verified against a user database. 3. The user’s role assignment and permissions are automatically determined based on authentcaion. 4. Using Zero-IT, the device is Guest SSID auto-provisioned with a Onboarding SSID Student SSID Staff SSID (hotspot) dynamic pre-shared key and dynamically assigned to the requisite WLAN. 5. Devices re-connect on a secure WLAN, receiving network permissions Student Staff Guest according to their role. New BYOD Devices Provisioned BYOD Guest9 | Meeting Name
Key TechnologiesSIMPLIFYING BYOD WITH RUCKUS RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
Zero IT Automates Onboarding ▪ Requirement: automatic, secure authentication and roaming ▪ Enabled by SSID and authorization protocol configuration ▪ Easy-to-use Ruckus Invitation Branded „One-Click‟ approach to push Landing Configuration configuration Page ▪ Uses mobile OS auto- Automatic detect and -authenticate Authentication Enabled features, not a separate connection manager app11 | Meeting Name
D-PSK Automates Security/Config ZD applies role, LDAP sends generates D-PSK user security pushes dissolvable group information PROV file to device to ZD WLAN profile configured device, and on the WLAN based on allowed by role.12 | Meeting Name
Client Fingerprinting Hostname: dstiff‟s iPhone MAC: 50:ea:d6:7c:30:e4 Device-Specific Policy Enforcement ▪ Visibility “Who‟s device is this?” ▪ Self-registration ▪ Automatically registers and maintains client info on WLAN and Wired interfaces ▪ Operating System ▪ Operating System Hostname ▪ Control by device type ▪ Permit/allow ▪ Assign to VLAN ▪ Rate limit (Down/Up) ▪ Management ▪ WLAN controller or standalone ▪ WLAN dashboard ▪ Client monitor ▪ Client details13 | Meeting Name