This page contains a Flash digital edition of a book.
settings, including WPA2-Enterprise EAP parameters and server/user certificates. For example, once users are allowed access to an open enterprise “guest” WLAN, they can access a URL to download a configuration profile. That can get complicated, so some organizations now use platforms such as Cloudpath Networks’ Xpress Connect, which automates portal-based WLAN connections for Windows, Mac OS X, Ubuntu, Android, and iOS users—including ActiveX for unmanaged Windows BYODs. This approach automates and


simplifies WLAN onboarding by minimizing dependencies to accommodate diverse devices and ownership. It can even be integrated with enterprise directories and certificate authorities to install different WLAN credentials for each authenticated user/device. However, this approach doesn’t enable configuration updates or ongoing enforcement, nor can it be extended to meet other BYOD needs.


Provisioning Platforms that Go Deeper on WLAN Access Policy Automated WLAN onboarding


can get more specific on access policy when integrated with traffic inspection functions that are built into the network. In this scenario, a “vanilla” captive portal can offer every user the same self-install links and opportunities for guest networking, but then WLAN access points (APs) can be configured with client classification policies that offer a more fine-tuned network access. Aerohive Networks’ HiveAPs, for


example, can be configured with client classification policies that automatically redirect personal devices based on Wi-Fi MAC address prefix,


IMAGE © PHLOXII / FOTOLIA CONNECTION/BUSINESS IT 2013.Q4 23


fingerprinted operating system and device domain. These classifications could be used to apply different firewall rules to, say, unknown Android tablets as opposed to recognized iPads. Through this method, recognized iPads might be redirected to a platform that installs an iOS configuration profile based on an observed username, while unrecognized devices could be redirected to a portal where users can receive individual PSKs and thus join a WPA2-Personal secured WLAN. This approach focuses on using


the network itself as well as its traffic content to automate WLAN onboarding. Combining WLAN traffic inspection and firewall capabilities with device and OS fingerprinting streamlines the steps users may have to take in order to connect their devices to the network. Broader BYOD management may, however, require additional steps or IT resources.


Mobile Device Managers for Auto-Enrollment Mobile device managers (MDM)


can help IT shops implement more complex policy that allows access by user, or group, device ownership, make and model, OS level, configuration, and integrity. They can also update settings to reflect ongoing changes in WLAN design and enforce real-time policies that address BYOD misuse or compromise. Using this approach, users that


connect to an open enterprise “guest” WLAN are redirected to an MDM enrollment page. (Alternatively, users could be sent email or SMS notifications containing personalized enrollment URLs.) Upon visiting the enrollment page, users are required to log in or supply an activation code, at which point the MDM can compare user or group, ownership and device details


to policies that determine provisioning. If a personal device is accepted, the system issues a device certificate and configures the device with many settings and applications, including enterprise WLAN credentials and connections, enterprise VPN tunnels, and enterprise mail settings. Dozens of MDM products support


full device enrollment and can be used to automate WLAN onboarding. Some have been specifically integrated with WLAN infrastructure. For example, Meraki offers a free basic MDM to its Enterprise Cloud Controller customers. Aerohive collaborates with JAMF Software LLC to provide automated MDM enrollment of Apple devices. Aruba Networks Inc. offers a ClearPass Access Management System appliance that integrates with third- party MDMs through published APIs. These are just a few examples of


ways to integrate WLAN infrastructure with MDMs and other tools for automated BYOD access provisioning. There are a host of other strategies, and even more will emerge. If you’re shopping for a way to manage BYOD and WLAN access, start by asking both WLAN and MDM vendors about their approach to WLAN onboarding and be sure they take automation, flexibility. and device diversity into account.


ABOUT THE AUTHOR Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36