byod - ruckus way. right way
DESCRIPTION
How to enable BYOD in your Wi-Fi network the right way.TRANSCRIPT
RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
Bring Your Own DesignSIMPLIFYING BYOD WITH RUCKUS
2 | Meeting Name
The Realities of BYOD
3 | Meeting Name
What Enterprises REALLY Want
Simple onboarding
Automated enforcement of user policies
Visibility of who and what is on the WLAN
Extension of wired security to WLAN
More capacity to deal with flood of devices
Leverage existing infrastructure
123456
4 | Meeting Name
Don’t Reinvent the Wheel
FIREWALLS CONTENT FILTERS
AAA SERVERS
ACLs / VLANS
USE WHAT YOU HAVE
RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
Now What?SIMPLIFYING BYOD WITH RUCKUS
6 | Meeting Name
Defining the SSID Structure
▪DOMAIN SSID▪ School owned / managed devices with access to all resources:
printers, applications, files shares
▪Guest Visitor SSID▪ Users who are not in the OUI with access only to the internet
▪Staff and Student BYOD SSID▪ Non-school owned / managed devices needing Internet access
and specified school resources, VLAN and content filtering applied
▪Provisioning SSID▪ Hotspot with a walled garden attribute, redirecting all users to
an activation page
7 | Meeting Name
Staff automatically placed on VLAN X, rate limited at 5 Mbps
User does NOT have account and is denied
DOMAIN
Automating Role-Based Access
STAFF
STUDENT
STRANGER
Student automatically placed on VLAN Y, rate limited at 1 Mbps
Administrator automatically placed on VLAN W, no rate limits
Allowed on via a Guest Pass, accepting terms and conditions automatically placed on VLAN Z, rate limited at 1 Mbps
GUEST
8 | Meeting Name
How to BYOD with Ruckus
Unknown device associates with provisioning SSID
User challenged to authenticate
ZD queries LDAP (AAA domain)
User placed into requisite role based on security group membership, VLAN dynamically assigned
Unique dynamic PSK automatically generated, bound with device and pushed to client
Policies applied per role and VLAN membership
123456
9 | Meeting Name
What it Looks LikeWHAT HAPPENS WHEN?
Internet
Guest
New BYOD Devices Provisioned BYOD Guest
UserDatabase
StudentResources
StaffResources
GuestResources
Student SSID
Student
Staff SSIDGuest SSID
(hotspot)Onboarding SSID
1. Users connect to a provisioning SSID and are re-directed to an onboarding portal.
2. Users enter domain credentials which are verified against a user database.
3. The user’s role assignment and permissions are automatically determined based on authentcaion.
4. Using Zero-IT, the device is auto-provisioned with a dynamic pre-shared key and dynamically assigned to the requisite WLAN.
5. Devices re-connect on a secure WLAN, receiving network permissions according to their role. Staff
RUCKUS WIRELESS PROPRIETARY AND CONFIDENTIAL
Key TechnologiesSIMPLIFYING BYOD WITH RUCKUS
11 | Meeting Name
Zero IT Automates Onboarding
▪Requirement: automatic, secure authentication androaming
▪ Enabled by SSID and authorization protocol configuration
▪ Easy-to-use Ruckus approach to push configuration
▪ Uses mobile OS auto-detect and -authenticate features, not a separate connection manager app
Invitation BrandedLanding
Page
‘One-Click’Configuration
AutomaticAuthentication Enabled
12 | Meeting Name
WLAN profile configureddevice, and on the WLAN based on allowed by role.
D-PSK Automates Security/Config
LDAP sends user security
group information to ZD
ZD applies role, generates D-PSK
pushes dissolvable PROV file to device
13 | Meeting Name
▪Visibility “Who’s device is this?”
▪Self-registration▪ Automatically registers and maintains
client info on WLAN and Wired interfaces▪ Operating System▪ Operating System Hostname
▪Control by device type▪ Permit/allow ▪ Assign to VLAN▪ Rate limit (Down/Up)
▪Management▪ WLAN controller or standalone
▪ WLAN dashboard▪ Client monitor▪ Client details
Client FingerprintingDevice-Specific Policy Enforcement
Hostname: dstiff’s iPhone MAC: 50:ea:d6:7c:30:e4