November 1, 2011

Use Your WLAN to Automate BYOD Activation

Bring-your-own devices (BYODs) are popping up everywhere. Three years ago, most employers frowned at the idea of using consumer-grade smart phones. But then along came the iPhone and Android.

Now, Yankee Group reports that 58 percent of smart phones used for business are individually liable, while In-Stat predicts that up to 67 percent of the 1.9 billion Wi-Fi devices expected by 2014 will be BYODs. No wonder so many employers have stopped fighting to keep BYODs out and seek ways to rapidly enable safe business use and control corporate wireless LAN (WLAN) access. Let's consider a few strategies.

Guest Networks as On-Ramps

Even companies that have not yet embraced BYODs may well be carrying BYOD traffic over their corporate networks. For many workers, guest WLANs are the quick and easy way to use a personal Apple iPad, Android tablet, Kindle Fire or other BYOD at the office. Guest WLANs alone are sufficient to allow users to reach cloud services like Office 365 or Google Apps over the Internet.

But in other instances, guest WLANs are not enough to meet business needs. For starters, guest WLANs tend to leave security up to users - a less than ideal situation. Next, BYODs may use Exchange ActiveSync (EAS) to read corporate email or a viewer like Citrix Receiver to access corporate applications. EAS and virtual desktop infrastructure (VDI) traffic can be delivered by guest WLANs, but something more is needed to put those business applications and settings into place on unmanaged devices. Finally, guest WLANs do not let BYODs become full-fledged enterprise endpoints with secure, direct access to corporate services and data.

Or can they? While guest WLANs may not be the ultimate destination for BYODs, they can be convenient on-ramps to systems that enable more extensive business use.

Nudging BYODs in the Right Direction

11-01-11 pullquote.JPGBYOD users can find their own way to Internet-accessible servers used to enable BYOD business use. For example, users can download IT-generated, password-protected iOS profiles to configure EAS or Wi-Fi settings or enroll with any mobile device manager (MDM) that pushes profiles to registered BYODs. IT can even prompt this by sending invites to known devices. But there lies the rub: How can IT automatically spot BYODs to kick this off with minimal effort and delay?

Over the past year, several vendors have seized upon this need and are offering products or features to facilitate BYOD discovery, fingerprinting and activation.

  • Wired network equipment manufacturers such as Cisco and Juniper have launched mobility initiatives to enforce consistent access policies for (mostly managed) endpoints that roam between WAN and WLAN.

  • Network access control (NAC) appliance manufacturers like Avenda, Bradford Networks, and ForeScout have parlayed guest access control into BYOD access control by fingerprinting (mostly unmanaged) endpoints to enable policy-based redirection and enforcement.

  • WLAN equipment manufacturers such as Aerohive, Aruba and Meru have launched products or features to register and provision BYODs at the point of entry (as opposed to somewhere deeper inside the corporate network).

WLAN-based BYOD Activation

Let's focus on the latter, using a few vendor solutions to illustrate how WLAN infrastructure can be leveraged to enable BYOD activation.

When Aruba acquired Amigopod late last year, it gained a family of "visitor management" appliances that support self-registration and auto-provisioning of BYODs. Amigopod plays a central role in Aruba's Mobile Device Access Control (MDAC) solution, which combines controller-based fingerprinting with Amigopod activation, followed by AirWave monitoring and helpdesk support.

In October, Meru added Smart Connect and Guest Manager features to its SA-200 and SA-2000 Identity Manager appliances. Smart Connect uses defined policies to redirect BYODs to a portal for auto-configuration of secure WLAN settings. Guest Manager supports wired and wireless BYOD registration, including BYODs connected to portions of the network not built on Meru gear.

Last spring, Aerohive released HiveOS and HiveManager updates that simplify mobile Internet device enablement. Specifically, devices connecting to an Aerohive guest WLAN can be redirected to a self-registration portal where they are auto-configured with their own Private PSK. This enables secure guest WLAN access for everyone. Next, based on device type, user domain authentication and configured policy, some BYODs can be moved onto non-guest WLANs to deliver the appropriate level of corporate resource access.

These scenarios represent three different ways to use WLAN infrastructure as a platform to get BYODs onto corporate networks quickly, without requiring IT effort or relying on user configuration. Expect to see considerable innovation as BYODs continue to escalate and enterprises make more productive use of them by running broader applications. The more that you can automate, especially while leveraging infrastructure you already own, the less time you'll spend on basic BYOD activation.



Thanks to Aerohive Networks for being a sponsor of this TechNote

Re: BYOD fingerprinting, I'd like solicit input. Assume that anyone who supports fingerprinting can identify OS (e.g., iOS, Android) and version. Beyond that:

1) Is it important to identify BYOD make/model for purposes of RF management or to apply policies at a more granular level, etc?

2) Just how granular ARE BYOD classifications today? And how automated? For example, how do vendors maintain and expand known device classes?

Re: provisioning Wi-Fi clients onto secure WLANs (including encrypted guest WLANs). This is a welcome improvement over open guest WLANs and manual configuration. But I see a mix of authentication methods here, from Private PSK to 802.1X (presumably w/ PEAP).

Do enterprises require flexibility to choose guest WLAN auth methods most appropriate for their business and constituency? How appropriate is 802.1X for enabling encrypted guest WLAN access when user identity is irrelevant or not reliably known? (e.g., free temporary visitor Internet access).

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.