3. What Enterprises REALLY Want
1 Simple onboarding
2 Automated enforcement of user policies
3 Visibility of who and what is on the WLAN
4 Extension of wired security to WLAN
5 More capacity to deal with flood of devices
6 Leverage existing infrastructure
3 | Meeting Name
4. Don’t Reinvent the Wheel
FIREWALLS CONTENT AAA ACLs / VLANS
FILTERS SERVERS
4 | Meeting Name
6. Defining the SSID Structure
▪ DOMAIN SSID
▪ School owned / managed devices with access to all resources:
printers, applications, files shares
▪ Guest Visitor SSID
▪ Users who are not in the OUI with access only to the internet
▪ Staff and Student BYOD SSID
▪ Non-school owned / managed devices needing Internet access and
specified school resources, VLAN and content filtering applied
▪ Provisioning SSID
▪ Hotspot with a walled garden attribute, redirecting all users to
an activation page
6 | Meeting Name
7. Automating Role-Based Access
DOMAIN Administrator automatically placed on VLAN W, no rate limits
GUEST
Allowed on via a Guest Pass, accepting terms and conditions
automatically placed on VLAN Z, rate limited at 1 Mbps
STAFF Staff automatically placed on VLAN X, rate limited at 5 Mbps
STUDENT Student automatically placed on VLAN Y, rate limited at 1 Mbps
STRANGER User does NOT have account and is denied
7 | Meeting Name
8. How to BYOD with Ruckus
1 Unknown device associates with provisioning SSID
2 User challenged to authenticate
3 ZD queries LDAP (AAA domain)
4 User placed into requisite role based on security
group membership, VLAN dynamically assigned
5 Unique dynamic PSK automatically
generated, bound with device and pushed to client
6 Policies applied per role and VLAN membership
8 | Meeting Name
9. What it Looks Like WHAT HAPPENS WHEN?
User Student Staff Guest
Database Resources Resources Resources 1. Users connect to a
provisioning SSID and are
re-directed to an
Internet onboarding portal.
2. Users enter domain
credentials which are
verified against a user
database.
3. The user’s role assignment
and permissions are
automatically determined
based on authentcaion.
4. Using Zero-IT, the device is
Guest SSID auto-provisioned with a
Onboarding
SSID
Student SSID Staff SSID (hotspot) dynamic pre-shared key
and dynamically assigned
to the requisite WLAN.
5. Devices re-connect on a
secure WLAN, receiving
network permissions
Student Staff Guest
according to their role.
New BYOD Devices Provisioned BYOD Guest
9 | Meeting Name
11. Zero IT Automates Onboarding
▪ Requirement:
automatic, secure
authentication and
roaming
▪ Enabled by SSID and
authorization protocol
configuration
▪ Easy-to-use Ruckus Invitation Branded „One-Click‟
approach to push Landing Configuration
configuration Page
▪ Uses mobile OS auto-
Automatic
detect and -authenticate Authentication Enabled
features, not a separate
connection manager app
11 | Meeting Name
12. D-PSK Automates Security/Config
ZD applies role, LDAP sends
generates D-PSK user security
pushes dissolvable group information
PROV file to device to ZD
WLAN profile configured
device, and on the WLAN
based on allowed by role.
12 | Meeting Name
13. Client Fingerprinting
Hostname: dstiff‟s iPhone
MAC: 50:ea:d6:7c:30:e4
Device-Specific Policy Enforcement
▪ Visibility “Who‟s device is this?”
▪ Self-registration
▪ Automatically registers and maintains
client info on WLAN and Wired interfaces
▪ Operating System
▪ Operating System Hostname
▪ Control by device type
▪ Permit/allow
▪ Assign to VLAN
▪ Rate limit (Down/Up)
▪ Management
▪ WLAN controller or standalone
▪ WLAN dashboard
▪ Client monitor
▪ Client details
13 | Meeting Name
Notas do Editor
School SSID – easy – the school owns all devices – 100% control – only those devices have access to the resources, anti-virus control, device imaging control, etc., behind the firewallGuest SSID – Also easy – guests have access to only the internet – BYOD SSID – This is where it gets interesting…because you have teachers and students bringing in their own devices – Teachers needing access to specific resources, students needing access to specific resources.