Slava Dementyev, Senior Product Manager

Juniper Mist Access Assurance (NAC)

Summits Security

Juniper Mist Access Assurance (NAC)

In this Mobility Field Day 11 session, Slava Dementyev, Senior Product Manager at Juniper, shares the latest enhancements to the Juniper Mist Network Access Control (NAC) solution, integration with Eduroam for higher education, Mist’s new PKI service, and other updates.


Show more

You’ll learn

  • How the NAC solution simplifies end-to-end posture validation for managed clients

  • How the Eduroam integration enhances user experiences by facilitating cellular-to-Wi-Fi transitions

  • About new services recently introduced to Mist

Who is this for?

Network Professionals Security Professionals Business Leaders

Host

Slava Dementyev
Senior Product Manager

Transcript

0:10 hello everyone I'm Slava I'm doing Knack things uh in Mist obviously nothing is

0:16 as exciting as the namic Spectrum capture but we will talk about knack for

0:21 the next 30 minutes I'm actually go go through this quickly this first section

0:27 we've actually announced our access assurance exactly one year ago at MFD 9 so we're

0:33 exactly 12 months past the product launch we started from zero and for those of you who haven't seen it don't

0:40 know what it is this is our cloud-based Knack offering that's a you know a native part of the dashboard it's

0:47 natively integrated into the junip permiss post stack infrastructure and it also works with third party uh network

0:55 devices whatever uh you know vendor uh you're you're you're working canest now

1:01 where did we get to after these 12 months uh we we are seeing excellent

1:07 growth over the last year we really have hundreds of customers on board now and this is production not Pilots not Labs

1:15 real production customers this adoption we are seeing worldwide across all GEOS

1:20 across number of verticals but one important metric I want to actually focus on is since product Louch we've

1:29 had 4 software updates to our Knack infrastructure or what we call in production pushes with zero operational

1:37 impact for customers so now think about this metric and think about you know how

1:44 many time times you've DED to upgrade your on premack infrastructure in the

1:49 past 12 months and how successful was it right we've done it 14 times so 40 time

1:55 times without any impact we're introducing new features U you know security updates things like that in

2:02 addition to that we we keep expanding our you know Knack Knack pod

2:07 infrastructure across the globe I'll talk about our high availability story a

2:12 little bit later on when it comes to uh

2:17 customer adoption right we we are seeing success in uh Enterprises starting from you know large

2:25 it service management company that deployed this worldwide uh we have one of the top three security companies

2:32 running our knack for their corporate Network or one of the you know top

2:39 identity management uh company we have lots of K to2 large school districts in Europe in

2:47 the United States in Asia pack again there's tremendous growth that we are

2:53 seeing across multiple vertical when it comes to to our access assurance

3:00 but now I'm going to actually go into the you know technical bit of uh of of

3:06 our presentation we we'll talk about things that we've added in the past 12 months or things that are coming uh

3:12 coming up soon so number one is oh we've actually uh introduced uh to

3:21 production the easy way how you can do endtoend posture validation for your uh for your

3:28 managed clients so traditionally if if you have experience with any traditional

3:34 Knack vendor this means installing an add-on agent uh making sure it's up

3:39 toate making sure it's actually deployed to your end points doing all sorts of things it's it's been incredibly complex

3:47 to deploy and that's why you're not actually seeing a lot of it out in a while the way we've actually done it is

3:53 we said okay most of these devices are actually managed right so they're managed by your uh MDM or uem platform

4:02 whether it's you know in tune Jam AirWatch space workspace one uh and all

4:10 these all these platforms they already know everything there is to know about

4:15 the CLI they already have an agent installed they already have the data they already have the compliant policy

4:21 rules that that are actually in place so the way uh we integrate is we do Cloud

4:27 to Cloud integration from our Assurance to these three providers we get the

4:34 compliant status of the device as it connects to the network based on that we can say okay if you're compliant from an

4:41 MDM point of view you you can get on and get unrestricted access right if you're

4:46 non- compliant something changed uh in your setup maybe you disabled your firewall forgot to update uh your uh

4:53 your software go to uh quarantine uh vline quarantine uh role and fix your

5:00 problem and then come back right and the way we've done the integration I I'll do a demo on how uh

5:09 how we can set this up is we can actually link the account right in the

5:14 Miss dashboard we we'll take a look at the InTune Microsoft InTune as an

5:19 example it will just say link Microsoft InTune account what this will do is it

5:24 will actually redirect you to um uh Microsoft for sign in you'll need to log

5:30 in with with an admin account that has permissions we'll say we'll need to uh

5:37 get these permissions to read all the in manage device data click accept voila

5:42 you're integrated right the next step is okay you have the connector working the next

5:49 step is to actually uh implement this in your policies where you can say we'll

5:55 actually look at this example where you have wireless devices that are compliant that are doing machine

6:00 authentication uh and uh we also have a rule of for wireless non-compliant

6:06 devices so basically on the left hand side you're matching on the compliance status and any additional attributes on

6:12 the right hand side you're applying your either unrestricted vlon or unrestricted

6:18 or restricted quarantine vlon depending on the compliance status very you know very easy very straightforward to to set

6:25 up what's important is actually go to

6:31 the next part of the demo is again the the integrated visibility so one of the things that we really are proud of is

6:39 we've we've brought all the uh client level visibility into one place both

6:44 from the network point of view as well as from The Knack point of view so you can actually look at the client history

6:50 as it uh as it goes through all of the authentication authorization all of your

6:55 preconnect stuff as well as all of your postc connection uh things so in this case you're actually seeing client

7:01 connecting for the very first time doing TLS it's actually hitting the

7:07 non-compliant certificate off rule because we don't know anything about this client yet this is the very first

7:13 time it connects we then do a look app o we then do uh an MDM

7:20 lookup which is actually going to jump since this is actually an Apple device

7:26 so we're going to jump jump tells us this is a compliant device will do a dynamic COA right then and there and

7:32 client re authenticates at and at this point client goes through the reauthentication process we now know the

7:40 compliant status and we hit the Right Wireless compliant user policy rule we

7:45 click on that it will actually tell us okay this client now now is compliant hitting this poish rule right so we've

7:54 simplified a end to end posture of uh it's again natively integrated into act

8:02 Assurance right there in the in the McLoud dashboard I'm gonna pause before move to

8:09 the next question does this this only works on A2 andx Wireless uh correct it works for1

8:18 x1x clients because typically uh clients that are MDM

8:23 managed they they do support that 1X they you know they have profiles and uh

8:29 you you're not going to do that for your for your printers for example SL I have

8:35 a question here sure so with the Knack capability do you have options to

8:42 install the certificates by the admin directly without onboarding or is

8:48 this you should onboard your own clients or do you have both uh I will talk about

8:54 onboarding in the next session like in in about a minute all right

9:00 so but uh today today the way we the way we integrate is uh we assume the you

9:08 know customer has their own uh pki infrastructure it's already connected with your MDM it can issue certificates

9:15 we're just trusting that P infrastructure and and this is how we do

9:20 you know all the epls authentication I will talk about the on boarding uh in

9:26 the the next slide okay

9:33 all right let's switch gears and talk about Ed or higher education in general

9:38 so uh one of the one of the asks from pirat was you know could you guys

9:44 actually start integrating with Edom uh it's it's tremendously popular pretty

9:50 much every institution out there has Edom s Sid but with Ed your own uh you

9:57 have uh your home users that are part of your campus that you know that are part

10:02 of your institution that connect on in your campus but you also have visitors from external institutions that

10:07 authenticate on your campus but you need to connect everything together and this

10:13 is this is what adum uh what is for now

10:19 when we uh move to the cloud world uh we we've actually had conversations with

10:26 multiple Ed roome nro or natural r operators in in United States in in

10:33 Europe everyone has a you know a different perspective of how things should be done but everybody agrees that

10:40 uh a good old Legacy radius proxy is the way to go so the way access Assurance

10:47 integrates into Edon Federation we are actually leveraging M Edge as a Gateway

10:54 into edum right so you're majority of your authentications all of your home users like 90 plus percent of your

11:01 authentications go go to Cloud access Assurance handles that anything that

11:07 that concerns external visitors or home roaming users it goes to access

11:12 assurance and then room estage goes to to Ed right so we've added that uh and

11:19 this this part is really the authentication piece the authentication

11:24 integration into uh into Ed uh and this is in production today

11:31 since early early this year now the next topic and I will actually do another

11:39 demo of the policy setup where you can actually before you move on from edome I

11:45 I'd like to ask a question it's hard to talk about edome without talking about open roaming cellular carrier offloading

11:51 what does that look like in the next solution here oh so when you when you talk about

11:56 the cellular offloading so one of the things that that you see in edome community and this is still in in its

12:03 infancy is actually adoption of uh open roaming right where edome has its own

12:11 open roaming Ri so that means that whenever you on a mobile device and

12:17 you're on a cellular network and if you're in the vicinity of uh of Ed roome

12:23 it will actually try to roam from that cellular connection to Wi-Fi using open

12:29 roming however we don't see this really uh deployed in the wild yet we see some

12:36 some institutions trying this but again um in terms of user

12:43 experience it's pretty much the same as you have your save that your own profile you're you're in cellular uh call or

12:51 you're in LT 5G whatever you walk by the University Building you go to

12:58 on automatically and you get on with your Wi-Fi

13:03 calling so okay was that your question about

13:08 more you know open roaming and well I I it was about open roaming support but then I inferred that yes it's appears to

13:15 be fully supported based on the context of his answer so corre it is it is it is fully supported yeah it is fully

13:21 supported I got just to follow up to Sam's question or a little bit different though um anything uh or are around Sim

13:31 authentication like so for example you know there's there's deployments where there's cbrs deployment or private

13:37 seller deployments and then there's uh Wi-Fi so if we're using misn um I can

13:43 use basically the Sim that's authenticating into my cbrs network and also somehow integrate into the misn and

13:49 can also authenticate me on um onto Wi-Fi also without having to use certificates or I don't know any any

13:56 other traditional it's a it's a good question Ali we we've had multiple conversations with private

14:03 5G providers on how to achieve this nothing is available right now right but

14:08 uh we we are looking at there there are challenges in terms of you know how do you uh uh who will M maintain the the

14:16 user base right so all of the all of the Sim registrations uh it's basically

14:22 becomes another identity provider for us right so uh there are conversations and

14:28 uh you know we're we have aspirations but nothing to share at this

14:33 point okay all right so let me just quickly

14:40 demo the edome policy setup right so primarily use case right when when what

14:46 we see in institutions is you want to uh differentiate your home users that are

14:52 on campus versus your visitors and typically you would drop your visitors

14:57 into I guess Network and you'll drop drop your home users uh into a student

15:04 or staff Network depending on on who they are and again this is very easy to achieve with our off policy page you'll

15:11 just say okay if you're connecting to Ed if you're part of our uh you know

15:17 institution identified by the realm so for example I don't know dark mo.edu things like that then you go to the

15:24 right and we're just dropping you to the student network if you're just connecting to Edom ssad and you're not

15:31 part of our uh home organization then you can connect and go to guest again

15:38 super simple to set up uh very easy to track who gets what access within within

15:45 the M dashboard okay so the next question would be what about uh user on boarding

15:52 specifically with Edon because in Edon most of your client population is actually BYOD not managing

15:59 them those are your student devices and you know problem number one or actually not a problem just a you know just a

16:06 statement uh traditionally in edome you would see customers using peep majority

16:12 of Institutions would would use Peep and just expect the end users to uh

16:17 configure their devices with username and password and things were kind of working most of the time uh the issue

16:24 started when first Android introduced some uh uh some restrictions on manual

16:31 configuration of pip when it comes to certific server certificate verification

16:36 then Microsoft went in and said actually there's going to be this credential guard feature that's going to disable PE

16:43 by default you can enable it back in registry good luck to end users so things are getting uh getting

16:51 complicated for PE rightfully so there's lots of uh you know security issues with

16:56 with the msp2 in general now your alternative is what epls it's

17:02 great from a security point of view it certificates on both sides but obviously the question is how do you provision

17:07 your clients especially in higher red uh situation you have U multiple options

17:14 today you have Edon provided tools Legacy cat tool that's only do in pport

17:20 dtls you have get Edon tool which is a new one relatively new one it does

17:25 support ftls with certificate provisioning uh and uh the issue is it's

17:31 not yet available everywhere for all of the adom nro but it it it gives you that

17:40 capability there's also you know commercial on boarding Solutions like secure W2 and we you know we partner

17:46 with them they do great products and great on boarding solution now the question we uh we always get is do are

17:55 you guys planning to do something are you guys doing something so

18:02 let's go and talk about our aspirations so this are this is what we are what we

18:07 are doing for the second half of this year uh similarly to what we already

18:13 have with the psk on boarding the psk portals that we've launched some time

18:20 ago actually a couple of years ago at this point uh we are introducing a

18:25 concept of a knon boarding portal which can be attached to your single sign on or your University or your organization

18:32 single sign on through saml based on that SSO the end user will get a a promp

18:39 to download an app to install an app an app will provision the the client with a

18:44 certificate with a Wi-Fi network profile or wired network profile depending on

18:50 you know what what your preference is now we'll we'll take a look at one demo

18:56 so this is where uh uh this is an Android device it's already sitting on the knon boing portal we already have an

19:03 app installed we we'll just uh really have this prompt where it says okay do

19:09 do you want to download an app or do you want to continue to join the network we'll just click continue it opens up to

19:16 Mar uh Mar Client app it does the provisioning so installs the certificate

19:21 it installs the Wi-Fi profile it says okay you're good to go click finish uh

19:28 it it then connects to that uh Wi-Fi network with your uh credential but

19:35 what's important is this let me actually stop here this is the important bit so

19:41 we didn't want to just do the onboarding because as I said there are tools that are doing that

19:48 today quite a lot of them we also wanted to extend this to to our Mar client

19:55 support So by doing the on boarding you're actually enabling Marv client

20:01 within the same app and that Marv client sends Telemetry back to our Cloud where

20:08 we can marry things together so let's look at what what you can get you can go to Marvis clients you'll see all of the

20:16 devices that are currently online all of the Marvis clients you'll see all of the

20:22 data that we are able to gather from them from a fingerprinting point of view so uh device model exact driver version

20:31 what OS version is installed everything that Marvis C gives us uh but most

20:37 importantly uh we then can go to uh a specific client I just look at that

20:45 Android device and when we go inside a client the first thing we see obviously all of

20:52 the visibility that we have from the network and from The Knack point of view but what you'll also see

20:59 what scen one second sorry what what you'll also see uh is the client

21:07 reported events on the on the top right and this

21:13 is this is what Marv client brings you so what what you'll see is all of the

21:19 events that that we are able to pick up from the client itself so when it

21:24 reports uh unsuccessful ROMs because it's actually stick a client right

21:30 because it we know the client Hears A Better AP where where it's at but it

21:35 decides to stick with the uh with the current one we know uh when when the device is locked or

21:43 unlocked we we can analyze that from a client perspective right in addition to that uh

21:51 when you look at the roaming of clients right the the famous roaming of graph

21:58 that we always showed many years before we can actually

22:03 now see all of the client reported APS which APS client can

22:11 hear during during C certain period of time now this comes from the Marvis

22:17 client itself and when you look at the larger time frame you can see as the client was

22:25 moving or as the client was roaming between the AP P you also see all of the client reported data uh in in addition

22:33 to that right so you can now correlate the the two together so we're basically doing an

22:40 onboarding and we're doing Marvis client in one package is there an opt out for

22:46 that other than the stop button I just that seems super sketched like security

22:53 wise you can track students you can identify where people are and when they are and where they are you can track

22:58 employees you can just seems like there's a lot of that's a lot of information that that people are

23:05 downloading a client to connect to the network and oh by the way we're also gonna correct so this is a choice this

23:12 is a choice and this is a choice from a portal portal per se so you can say

23:17 enable Marvis Telemetry or disable right that's up to you so you can just do the own boarding that's perfectly fine or

23:25 you can you can do on boarding and Telemetry is that at org level or is it individual it's a per portal so you can

23:33 create multiple portals and you could say a portal one is attached to the SSO for our staff where we will enable

23:39 Marvis cemetry Portal 2 is for our students for example and this is where

23:45 we will disable to lry just the own boarding can I get a clarification on the Marvis client is by using the Marvis

23:53 client and get and showing all that metrics that you showed is that a requirement to have Miss Knack okay no absolutely

24:02 not yeah but this is an addon so we we're really solving the uh onboarding

24:08 problem when uh when customers don't have their own P they don't have any way

24:15 to deliver certificates to clients right so this is primarily B so Slava so the

24:21 uh the Maris client is morphing to have multiple personas and those personas can be enabled or disabled and um from a

24:29 client perspective the Marvis client Telemetry um requires permissions from the device itself from the user in the

24:36 device yeah yeah okay uh and one more thing by the

24:43 way oh while we are doing the the onboarding for bod devices since we we

24:50 are introducing our new pki service this will also let you integrate into your

24:57 MDM for your corporate devices for your managed devices so this way your MDM can fetch the certificate from from us and

25:05 and issue it right so we are actually introducing a whole new PPI service not

25:11 just a b boarding it is I ke you just asked a question is this IOS and Android

25:17 I thought I saw that it was both oh the onboarding is for iOS

25:23 Android Windows and Mac and just to kind of confirm you said that it will

25:28 integrate with the MDM it will grab the client certificate and then it will just install that certificate as part of the

25:35 onboarding process is that what uh so treat this differently Marvis client

25:41 is pure byid right no MDM no nothing right okay it it will do the certificate

25:48 provisioning on its own the the Marvis client is what's going to deliver the certificate right for your managed

25:55 devices let's say in in Enterprises in you know in any other verticals where

26:00 you manage devices and you don't have your pki but you have your MDM that's you know a typical scenario today you

26:07 can say I'm going to use my MDM talk to M as the uh CA server and this is how my

26:14 clients will get a skirt okay so if somebody does not have a ptii then they can just use this okay

26:22 they yeah they can use ours I'm sorry is there you said there's

26:27 an onboarding SSID that runs that pushes this app to you is that how it works

26:33 it's an onboarding portal Kevin and it's uh it's an outof band portal so you can

26:38 access it you know from your LT from any onboarding SSID if you will it's just

26:45 it's a portal which will me go back okay is this available for anyone or

26:54 this app only like a private app uh it's a it's an that you will be able to download from Google Play Store and and

27:02 app store it's a store app yep

27:07 sure okay so one one more question does the app so

27:15 say you download the app and you go to two different venues unrelated customers

27:20 will the app know that you're on a different network you won't connect to a different

27:25 network with that or it's an or specific unless

27:31 unless the other work will actually trust the certificates issued from the org one okay so if I I download this for

27:39 one venue one retailer and I go to another venue I have to redownload the

27:44 app or how would that work uh so think of this as this is not really a guest

27:50 onboarding right for guess this is not what we would recommend this is really bring your own device okay Ty situation

27:58 where you first authenticate the user through single sign on so it needs to be an employee needs to be a student

28:04 somebody who's part of your organization and then we would uh you know let uh the

28:10 app download and app will provision a certificate would you imagine something like this being enabled for open roaming

28:17 for example like same like offering the same type of client to make open roaming that much more seamless and then still

28:23 being able to use that as an endpoint to gather all the Telemetry and data that you need

28:29 everything everything is possible with this yeah absolutely so open again open roaming today right as it grows there

28:36 are so many idps today uh that's just you know

28:42 that's for for open roaming you said that you guys support it do do you guys have an option like a oneclick button

28:49 that uh configures your network to support open roaming today we do so we actually yeah

28:58 it connects you to all the idps uh so the way this works is uh you

29:04 enable open roaming uh as your uh pass Point pass Point operator we actually

29:11 simplify that you literally just say I want open roming on my SSID and then uh

29:16 we would use uh you know our our backend to talk to open roming Federation so it

29:23 will work with any IDP okay thank you awesome

29:28 so Slava one more question okay so the KN capability and pki is does it come

29:34 together or they are separate offerings different subscriptions uh it's a it's an

29:39 additional subscription for pki service and and on boarding okay

29:46 thanks okay uh in the interest of time uh since we I think already passed uh

29:53 let's talk about one last thing we'll talk about our high availability High reliability story and we've brought this

30:00 up last year again we are at the point where we have the you know worldwide

30:07 presence when it comes to access insurance spots so the way our redundancy and high availability works

30:13 is we detect from uh where your authentication request comes from so if

30:19 you have sites in uh you know in in France you have sites in uh in on the

30:24 east coast in the United States we would automatically redirect that authentication requests to the nearest

30:29 Port we have deployed uh in that GE similarly if one of these ports go go

30:35 down we will steer that traffic automatically to the next nearest spth

30:40 so today we've done this at the you know global global level it's deployed

30:47 worldwide but the obvious question is uh you know for customers specifically in

30:54 in in verticals like healthcare where you have cr locations where you need to

30:59 survive uh you know internet and power outages so let's say you have a hospital

31:05 and then the the power goes down the whole Hospital goes offline then it comes back up everything is online but

31:11 your router is down and your ISP is down you don't have any connectivity so you don't have any caching as well because

31:17 everything just rebooted 5 seconds ago so what do you do so what we are doing

31:23 is we introducing a concept of uh s survivability in the normal condition

31:28 when cloud is reachable and you know all our infrastructure can talk to our Cloud

31:33 everything goes to access insurance everything goes to the cloud cloud that be heavy lifting but at the same time uh

31:40 we are actually building up a cache on a local mised that will be acting as a

31:45 will be running this cashing service so it learns about every client that's uh that's actually authenticated and

31:52 authorized and it caches the the policy on that m for that specific

31:59 location is there is this a configurable parameter because there would be places

32:05 where you want that cat very short and where you want it very long okay uh but

32:12 you know the typical thought process is you look at historical clients because you want to uh you want to see that if

32:19 uh if you see clients online on site for a period of of a couple of days you want

32:25 to make sure that when things you know when one becomes enrichable these

32:31 clients can authenticate and they get placed into rightand policy Etc so we we're going to cach that on the M for

32:37 that location now when things go south and your cloud is

32:44 enrichable for whatever reason M starts its authentication Service using the

32:50 cash that it already has and this cash survives the reboot so we we will survive you know power outages as well

32:57 so so at that point all your local infrastructure your APS and switches will talk to the m m will do the

33:03 authentication so everything that we've cached we will authenticate your1 X and

33:09 map clients and we will return all the policies that we you know we we've cached for the for the past uh for the

33:16 past days new clients can still connect an authenticate but at that point they will be assigned like a default what we

33:23 call a critical service policy like you can configure which Vine they will be dropped into which policy will will get

33:29 assigned and and this is where we we really wanted to create a site

33:34 survivability concept that would not make us put uh the full-blown neck on

33:40 Prem we didn't want to repeat the mistakes of the past so we really wanted to make this service very lean and tidy

33:46 right it's just going to cash uh pout is still going to do all the heavy lifting

33:52 but in case we need to survive like a a full one outage full internet outage we

33:58 we can

Show more