The “Bring Your Own Device” Conversation · Basic MobilityBYOD-Guest BYODBasic BYOD-Student Advanced BYODBYOD-Faculty Higher Education - Use Cases • Campus-wide Wi-Fi • Wireless

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

The “Bring Your Own Device” Conversation

Prapankorn Wongmaytha ([email protected])

Systems Engineer

26 October, 2012

Cisco Systems

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

“I need to improve my customer service”

“My staff needs the latest information at their devices”

“My staff needs to collaborate…from wherever they are”

“I need to monitor/manage/enable task-specific devices”

“I want to stay ahead of Single Policy ”

“My users are demanding BYOD and I need to get ahead of the curve”

“I need to allow Student, Faculty, Guest access to my network”

“I have a specific use case, not on this list”


Higher Education - Drivers

• Majority of new network devices will have no wired port

• Users are starting to bring 5+ or more WLAN devices each

• Mobile devices have become an extension of an individuals personality

• Users will change devices more frequently than in the past

• Guest access with accountability has become a must do


Trends 2014 1997

BYOD / Unified Access

BYOD / Unified Access

Mobility / WLAN

Mobility / WLAN

Mobility / WLAN


600 Mbps

450 Mbps

802.11

1999 2003 2007

2 Mbps

11 Mbps

802.11b

54 Mbps

802.11ag

24 Mbps

300 Mbps

65 Mbps

802.11n

6900 Mbps

1300 Mbps

870 Mbps

290 Mbps

6900 Mbps

3500* Mbps

1730* Mbps

290 Mbps

2013

Wave 1

802.11ac

2014

Wave 2

802.11ac

* Assumes 160MHz channel width is available and usable

802.11ac = game changer

802.11n 802.11ac

Band 2.4GHz & 5.0GHz 5.0GHz only

PHY Rate 65 Mbps – 600 Mbps 290 Mbps – 6.9 Gbps

MAC

Throughput 45 Mbps – 420 Mbps 194 Mbps – 4.8 Gbps

Spatial Streams 4 8

Modulation 64 QAM 256 QAM

Channel Width 20 or 40 MHz 20, 40, 80, *80+80, 160

MHz 1

Spatial

Streams

3

Spatial

Streams

8

Spatial

Streams

Key benefits:

• Increased speed

• Improved battery life

Gig

ab

it E

the

rne

t U

pli

nk

2 G

igab

it E

thern

et

Up

lin

ks


• A field-upgradable 802.11ac module add-on to the AP3600

• 802.11ac Wave 1 – 5 GHz AP3600 Module

5 GHz radio module

Supporting 802.11a and n clients along with ac clients

1.3 Gbps PHY / ~1 Gbps MAC (throughput)

3 Spatial Streams, 80 MHz, 256 QAM

Explicit Beamforming support as per the 802.11ac standard

• AP3600 maintains dual-band support 2.4 and 5 GHz

Supporting b/g/n on 2.4 GHz and a/ac/n on 5 GHz

• Power requirement with the 802.11ac Module installed

Power draw with 802.11ac Module exceeds 15.4 Watts (802.3af) , and will require either:

Enhanced PoE, 802.3at PoE+, Local Supply or Power Injector 4

• Universal Mounting Brackets (Bracket-2) required, or Ceiling Mounting Brackets (Bracket-3)


Smartphones from 210 Mbps

Tablets from 460 Mbps

High End Laptops from 680 Mbps

802.11ac Performance Table



Authenticate User

Fingerprint the Device

Apply District

Configuration

Education Apps

Automatic Policies


Contextual Policy: Onsite

No Yes Student

Student Information

System

Learning Management

System

WebEx, Personal TP

District Portal

Digital Textbooks

Email, IM

Internet

Access Limited

Restricted



No Yes Faculty

Student Information

System

Learning Management

System

Webex, Personal TP

District Portal

Digital Textbooks

Email, IM

Internet

Access Full



No Yes Guest

Student Information

System

Learning Management

System

Webex, Personal TP

Communications

Systems

District Portal

Digital Textbooks

Email, IM

Internet

Access Limited


Ms. Blair

There will be a quiz

tomorrow on this

chapter.


Access: Limited

No Yes Student

Student information

System

Learning Management

System

Learning Content

Management System

District Portal

Digital Textbooks

Email, IM

Internet

Restricted

Cisco Confidential 16 © 2010 Cisco and/or its affiliates. All rights reserved.

No Yes Student

Student Information

System

Learning Management

System

Learning Content

Management System

District Portal

Digital Textbooks (web

with user name and pw)

Email, IM

Internet

Restricted


Pervasive wireless within the enterprise Wireless Access for fixed devices

Limited Access

Integration of guests / Student / Faculty

Sample.. Internet Access, Guest Network Service

Basic

User needs workspace access to application plus confidential information based on location

Enhanced

The Next Generation Workspace Built on an Intelligent Network

User needs full workspace regardless of location IT needs to control and manage data

Advanced

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A

How Do I Control Who and What Access the Network?


• The Burden Falls on IT

Top of Mind Concerns

DEVICE PROLIFERATION

• How do I ensure consistent experience on all devices?

• How do I implement multiple security policies per user, device?

• How and What do I support?

• How do I manage the risk of Student bringing their own devices?




• Am I hindering my workforce from being competitive?

• How do I retain top talent?

• How do I ensure compliance with SOX, HIPAA, etc?

• Can I handle Staff, Faculty, Student appropriately?

CHANGING WORKFORCE




• How do I know who is accessing my

virtual desktop infrastructure?

• How do I secure access to my

data across the cloud… (Pool

Resource) in a scalable way?

• Can I ensure compliance across

geographic boundaries?

VIRTUALIZATION


Comprehensive Visibility Identity and Context Awareness

Identity (802.1X)-Enabled Network

Comprehensive Visibility

IDENTITY

CONTEXT

WHO WHAT WHERE WHEN HOW

Guest Access

Profiling

Posture

802.1X

MAB

WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS

Vicky Sanchez Frank Lee

Security Camera G/W Francois Didier Personal iPad

Employee, Marketing

Wireline

3 p.m.

Guest

Wireless

9 a.m.

Agentless Asset

Chicago Branch

Consultant

HQ—Strategy

Remote Access

6 p.m.

Employee Owned

Wireless HQ

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

I want user and devices to receive appropriate

network services (dACL, Qos, etc)

I want to allow guests into the network

I want to allow the “right” users and devices on my

network

I need to ensure my endpoints don’t become a

threat vector

I need to allow/deny iPADs in my network (BYOD)

I need a scalable way of authorizing users or

devices in the network

Authorization Services

Guest Lifecycle Management

Profiling Services

Authentication Services

Posture Services

Security Group Access Management

Cisco ISE

(Methodology)


Security

“My users use

multiple devices

including their

own; they are

mobile and need

role-based access

to the Internet

and internal apps.”

Unified VPN Client

Wired Access

Wireless Control

Identity

MDM

Mobile Device Mgmt

Cloud/Mobile Security Cloud/Mobile Services

Unified Management

Configure and enforce consistent policies across the network

Simplify on-boarding and management

Unify wired/wireless/mobile with a single VPN client

Protect against Malware with cloud-connected hybrid web security

Optimize wireless capacity and reliability

Collaborate seamlessly across devices

A Framework for Native Applications



Fully virtualized desktop keeps all data centralized for audit and security

Consistent user and IT experience on all clients (VXI, Thin) empowers user

Integrated security (SSO, VPN) on all virtual clients

Consistent policies across VXI and non-VXI

Optimized VXI traffic through WAN optimization

Enhanced voice/video on virtual clients

End-to-end infrastructure for virtual desktops— strong partnerships

BRANCH

Virtualization-Aware

Borderless

Network

WAAS

ISR

CDN

MS Office

Desktop Virtualization Software

Virtualized Data Center

Microsoft OS

Hypervisor

Virtual Unified

CM

Cisco Collaboration Applications

Thin Client Ecosystem

Virtualized

Collaborative

Workspace

WAAS

Nexus

ACE

Virtual Quad

“My users need

mobile access and

my organization

needs to meet strict

audit and security

standards, so finding

a solution that

balances both

is important.”

CISCO CLIENTS

Cius Business Tablets

Cisco Desktop Virtualization Endpoints

Cisco

WAN

A Virtual Solution for BYOD

Virtual Experience Infrastructure


Build on what you already have

VPN External Wi-Fi Internal Wi-Fi Wired

Devices Layer

Smartphones

Desktop/Notebooks

Tablets

Thin/Virtual Clients (VXC)

Connectivity Layer

Limited Access

Firewall Router Wireless Switching ISE NCS Prime

Basic

ISE NCS Prime AnyConnect ScanSafe ESA/WSA

Enhanced

ISE NCS Prime VXI Quad Jabber Webex

Advanced

MDM App Virtualization


What’s Next For You?

BYOD is not a product you buy, but a strategy you build

You already have many of the pieces

Different companies are in different places on the “BYOD” spectrum

Cisco has solutions for where you are now, and where you want to be

Only Cisco has the Intelligent Network to help build that strategy

Portfolio breadth, expertise, end-to-end vision and architecture

Let’s get started…


Advanced BYOD Basic Mobility Basic BYOD BYOD-Faculty BYOD-Guest BYOD-Student

Higher Education - Use Cases

• Campus-wide Wi-Fi

• Wireless BYOD

• Mobilemail

• Internet access

• Personal Mobile Device

with Profiling

• Restricted Campus

Intranet (Proxy HTTPS or

VLAN/ACL filtering)

• Campus-wide Wi-Fi

• Wireless BYOD

• Mobilemail

• Personal Mobile Device with

Profiling and Provisioning

• VPN Access

• Unrestricted Campus

resource access

• Wired BYOD

• Voice / Video everywhere

• VDI / VXI

• MDM(Mobile Device Management)

• Guest Wi-Fi

• Wireless BYOD

• Mobilemail only

• Rate limited Internet

access only


Policy

Guest

Student

Faculty

Personal Device

Personal Device

Faculty Device

Personal Device

Wireless Classrooms Captive Portal

DMZ Guest Tunnel

Faculty VLAN

5 Dimensions of Policy and Provisioning

Anytime

Anytime

Student VLAN

Student ACL

Wired

Wireless

VPN

Faculty ACL

Guest VLAN

M–F 8 am–6 pm

Time Location Access Method

Device User

Anywhere

Anywhere

Anytime

Anytime

Anytime

Anywhere

Anywhere

Wired

Wireless

IF $Identity AND $Device AND $Access

AND $Location AND $Time THEN $Policy

Library


Unified Access Management Higher Education


Who? What? When? Where? How?

Best in Class and Best of Breed

Mobility / RF Innovation (Predictability) Policy & Network

Management

CleanAir

Chip level proactive and automatic

electronic beamforming

Simplified advanced RF management

Chip level wired multicast over a

Wireless network

ClientLink

VideoStream

Chip level proactive and automatic

interference mitigation

Radio Resource

Management

Persistent context-aware VPN connectivity AnyConnect

BandSelect Proactive and automatic band steering

for 5GHz capable clients

ISE (Control)

Prime NCS (Visibility)


Industry’s First Context-Based Wired+Wireless+VPN Policy/Guest Management

Wired | VPN | Wireless Simple | Unified | Automated

Who? What? When? Where? How?

AAA + PP = Secure BYOD

BEFORE Separate policy and guest management

AFTER Unified context-based policy management

for employees and guests across the network

Cisco ISE–Provides Unparalleled Control

Improved

Control


All ISE nodes registered to Administration Node

Information Store

Profiled Endpoint Distribution Posture

Compliance

Metric Meters

Authentication Summary

Authentication Failures

Summarized Alarms


Example Faculty or Student User Walkthrough—Wireless

Policy Engine

Personal Device Profiling and Provisioning

1. AAA—Authentication, Authorization and Accounting (RADIUS)

2. Profile Device using multiple probes (OUI + DHCP + HTTP)

3. User is redirected to “My Device Page” and walked through provisioning

4. Device is provisioned for Campus Wi-Fi Network access

5. Device associates securely to Campus SSID and granted access

Provisioning Profiling

USER

CONFIG

DEVICE

USER

My Device Page CONFIG

OUI DHCP HTTP

DEVICE

OUI DHCP HTTP

Personal Wireless Capable Device

Wireless LAN Controller SSID

Directory PKI CA

DNS NETFLOW SNMP

Corporate Resources

Internet

http://www.cisco.com/en/US/products/ps10315/index.html


USER

CONFIG

DEVICE

Example Faculty User Walkthrough—Wired

Personal Device Profiling and Provisioning

1. AAA - Authentication, Authorization and Accounting (RADIUS)

2. Profile Device using multiple probes (OUI + DHCP)

3. User is redirected to “My Device Page” and walked through provisioning

4. Device is provisioned for Campus Wired Network access

5. Device connects securely with appropriate access policy

Provisioning Profiling

USER

My Device Page CONFIG

DEVICE

OUI DHCP HTTP

Personal Wired Capable Device

Switch

DNS NETFLOW SNMP

Corporate Resources

Internet

Policy Engine

Directory PKI CA

OUI DHCP


Account

Sponsorship

Account Notification

Credentials Automatically Provided to Guest Via Email,

SMS, or Printed Receipt Web Browser Redirects to Login Screen

User Can Manage Access for Their Own Device

Successful Authentication

• Isolated Guest Network on DMZ

• Role Based Policy Applied

• User granted access to Internet

Example Higher Education Walkthrough—Guest

Approved Sponsor Creates Account.

Captive

Portal

Access

Granted

ISE

Policy / Guest Engine

Internal WLC

Anchor WLC

Guest User on DMZ

DMZ

Internet


Single Pane of Glass View and Management of Wired+Wireless+Identity

BEFORE Separated management

AFTER Comprehensive user and access

visibility with advanced troubleshooting

Improved

Visibility

Cisco Prime NCS–Provides Unparalleled Visibility

Wireless

Wired

Identity

Siloed Inefficient Operational Model

Repetitive Manual correlation of data

Error Prone Consumes time and resources

Wireless

Wired

Identity

Simple Improves IT efficiency

Unified Single view of all user access data

Advanced Troubleshooting Less time and resources consumed


1. Search on user name

2. Identify wired and wireless devices

associated with the user

3. Display associated and disassociated

devices

4. Use automated client troubleshooting

workflow to resolve the issue

5. Issue resolved

USE CASE: User calls in to help center because they cannot get access to financial data on the network. IT determines if they are authorized to access this area.

Troubleshoot user and access issues based on identity

Speed resolution with intuitive guided workflows

Cisco Prime Network Control System (NCS)

Step by Step Recommendations


1. User calls and complains about video

problem on his Cius

2. Isolate the end user problem

3. View the application status

4. Quickly identify the source of the

problem

5. Fix the problem (WAN optimization)

USE CASE: End User calls about issues with his Mobile Jabber Video App

Reduces expertise by normalizing and correlating performance data

Quickly identify the source of the problem

Cisco WAAS

VMVMVMVM

Cisco Nexus 1000V

Application Servers

Virtual DC and Cloud

WAN Where is the problem

End-Users Complain


Unified Access Control (Application Visibility & Control) Higher Education


dACL or Named ACL Secure Group Access VLANS

Contractor Guest

VLAN 4

Employee

VLAN 3

Remediation

Employees

IP Subnet

IP/Port Any

Multiple option for policy and segmentation:

• VLANs – interface-based Layer 2 segmentation

• Downloadable ACL (wired) or Named ACL (wireless) – interfaced based Layer 2,3&4 segmentation

• Secure Group Access – user and resource based Layer 2,3&4 segmentation – independent of topology

Secure Group Access:

SXP, SGT, and SGACL

ACL

L2 Segmentation

BEFORE Interface-based segmentation

AFTER User-based segmentation

Finance

Doctor

Finance

Policy

Cisco SGA—User & Resource based Segmentation


Identify, Analyze, and Optimize Application Traffic

FW L4 Session Visibility and Control

View, Control and Troubleshoot - End User Application Experience

BEFORE Application View & Control based on L4 Firewall sessions

AFTER Network Based Application Recognition - NBAR2

Deep Packet Inspection and App ID

Cisco WLAN AVC and Prime Assurance Provides Unparalleled Visibility & Control

Improved

Visibility &

Control

NBAR2 LIBRARY Deep Packet inspection

Traffic

Real Time

Interactive

Non-Real Time

Background

POLICY

Packet Mark

and Drop

Wireless LAN Controller

First

Generation

Firewall

HTTP = 75%

SMTP = 15%

FTP = 2%

Telnet = 1%

SNMP = 3%

Visibility to the port level interaction but not the

applications running within the port

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


AVC Can be enabled on per WLAN basis

You can see a global summary


1000 + applications can be detected by default


Custom AVC Profiles can created to do traffic shaping

Apply the custom profile per WLAN


Mobility / BYOD / Unified Access Higher Education

Cisco’s Leadership


802.11ad (60GHz)

WiGig

802.11af (TVWS)

802.11ac (>1Gb/s)

Wi-Fi VHT5G

802.11y (3.6GHz)

802.11ae (QoS for management)

802.11 amendment

Wi-Fi certification

Blue = complete

Red = in development

Cisco Active

802.11n (>100Mb/s)

Wi-Fi 11n

802.11w (MFP) MFP

802.11u Hotspot 2.0

802.11aa (Video)

802.11v (Manage) WNM

802.11j (Japan)

802.11a/g (54Mb/s)

Wi-Fi 11a/g

802.11i (Security) WPA2

802.11r (Roaming) Voice-Enterprise

802.11h (DFS) Standard Wi-Fi

802.11e (QoS) WMM, WMM-AC

802.11k (Measure) Voice-Enterprise

CONNECTIVITY

SECURITY

SEAMLESS

SPECTRUM

APPLICATIONS

MANAGEMENT

Cisco Driven

CCX Driven


• Over 90% of the Mobility/WLAN industry silicon is CCX compatible

• Over seventy-five (75) Partners license CCX in the CDN Program

• Over 350 Devices and Tags are CCX Certified (“Cisco Compatible”)

• Over 730 Companies in the CDN Program across Cisco CDO


• Cisco Provided the wireless network for IPv6 World Congress 2012 http://blogs.cisco.com/sp/touch-and-feel-ipv6-wi-fi/

• Network deployment–WLC 5508’s Aironet 1140’s, NCS 1.1 and ISE 1.1 providing unique device profiling

World Congress Wireless Network—“V6 World Congress 2012”

NCS Prime Report Graphics:

• 1068 Unique Clients

• Around 560 simultaneous Clients

• 46.09% Dual-Stack Clients

• 46.41% IPv4-Only Clients

• 7.5% IPv6-Only Clients

http://blogs.cisco.com/sp/touch-and-feel-ipv6-wi-fi/













© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved.

Q & A


Thank You

Documents

The “Bring Your Own Device” Conversation · Basic MobilityBYOD-Guest BYODBasic BYOD-Student Advanced BYODBYOD-Faculty Higher Education - Use Cases • Campus-wide Wi-Fi • Wireless