Slava Dementyev, Product Manager, Juniper Networks

Juniper Networks IOT Assurance, Self Provisioning, and PPSK

Summits Security

Juniper Networks IoT Assurance, Self-Provisioning, and PPSK

Find out how Juniper Mist IoT Assurance makes it easy to onboard client devices at scale, secure connections, and simplify IT operations for unmanaged BYOD and unattended IoT devices.

Show more

You’ll learn

  • How to onboard users

  • How IoT assurance has made a difference for our customers

Who is this for?

Network Professionals Business Leaders

Host

Slava Dementyev
Product Manager, Juniper Networks

Transcript

0:09 so we'll talk about IIT assurance and

0:12 self-provisioning as sanjo said in the

0:16 beginning oh we've we've showed this uh

0:20 last year we showed this I think even a

0:22 year before where our ID Insurance

0:25 service was designed to uh to solve the

0:29 two specific use cases when we talk

0:31 about access control wireless for iot or

0:34 we can call them unattended devices the

0:37 other one is for BYOD for you know

0:39 unmanaged unmanaged device access to the

0:42 network we are leveraging multiple

0:44 appreciative key concept here but we're

0:46 deploying this at scale so one of the

0:48 things that that we've done was to you

0:51 know eliminate Mac addresses from the

0:53 equation where we are just letting the

0:57 device on board based on the fact which

1:00 here which psk decline client is is

1:03 using we are doing segmentation like

1:06 vlan-based segmentation role-based

1:08 segmentation and we're doing some

1:10 traffic engineering where we can say

1:12 okay this key is going to be channeled

1:15 to DMZ the other key is going to be like

1:18 Liberation and things like that plus

1:19 we've added quite a quite a lot of

1:21 things and the life cycle management

1:26 aspects of the of our mpsk solution one

1:30 thing we haven't showed yet was the

1:33 stealth onboarding or self-provisioning

1:35 aspect of of the iot Assurance which is

1:39 relevant to the by the use case how do

1:41 users uh however how they able to get

1:45 themselves a unique personalized PS case

1:48 let me let me Demo this

1:51 let me just in a second I'm going to

1:53 switch back

1:54 so what we have here is we have a

1:57 concept of a TSK portal that is

1:59 connected to

2:01 a single sign-on in this case this is

2:04 azure like standard sample connector so

2:07 it will integrate into any IDP

2:09 whatsoever we will then say okay if the

2:13 client is authorized and authenticated

2:15 and authenticated using single sign up

2:18 we will create a personalized bsk for

2:21 this specific SSID with this fast phase

2:24 complexity settings and we will

2:25 determine you know how frequently the

2:28 end users will need to rotate their

2:31 credentials so how does the process

2:33 looks like from an end user perspective

2:35 so an end user let me just open it

2:38 somewhere here would go to

2:41 at the Escape portal and we'll then

2:44 redirect

2:46 one second

2:49 I should not have anything clashed so it

2:52 will then redirect to a single sign-on

2:55 for authentication so I'm going to just

2:59 log in with my test account in azure

3:02 so if you have MFA in the Fable kick in

3:04 at this point as well it will then

3:06 bounce back to our the Escape portal it

3:09 will generate a unique passphrase for

3:12 that specific user taking your username

3:15 picking your email address from Azure as

3:18 the key name so you have the identity of

3:20 the user attached with the with the

3:22 passphrase it generates the QR code that

3:25 you can either scan with your with your

3:27 camera or you can actually if you're

3:30 running this from a mobile device you

3:33 can click on the QR code it will ask you

3:35 to join the network so I'm going to just

3:36 demo this real quick I'm going to take

3:39 my

3:41 device I'm going to turn the Wi-Fi on

3:43 I'm gonna open up a camera app I'm going

3:45 to point to this QR code it will ask me

3:48 to join the network

3:51 set

3:55 I am now connected to

3:58 to this network that's really it right

4:00 so you're generating a unique user

4:06 specifically you can connect all of your

4:08 uh all of your devices so

4:12 that uh

4:14 that that will use that key without

4:16 registering the Mac addresses none of

4:18 that right

4:19 and it's completely self-service the

4:21 same thing we are even extending that to

4:24 uh to let the users rotate their

4:27 credentials as and when they need to

4:29 read so that's completely uh off of ID

4:33 hence now what you'll see from the

4:35 visibility point of view you will then

4:37 look at the psk that you see the psk has

4:41 been created for that specific user we

4:43 now see a client devices that are active

4:46 uh for for that given uh for that given

4:49 psk you would see them as they come in

4:52 you can see the historic usage of that

4:54 key etc etc that's the dyad portion but

4:58 what I wanted to also show is what what

5:03 are the outcomes what how we actually

5:05 were able to help customers over over

5:08 that last one year so if we look at at

5:12 this slide uh We've we've done a number

5:15 of use cases so we can look at the first

5:17 example where you know a fortune 75

5:21 retailer uh used our iot Assurance to

5:25 simplify on boarding out there demo uh

5:28 devices or vendor demo devices in the

5:31 stores and they've removed the the uh

5:35 the requirement of dealing with Mac

5:37 addresses so previously they were having

5:39 to register every single Mac address of

5:41 every single device that they had in

5:44 each and every store in order to onboard

5:46 them in their specific VLAN for for

5:48 isolation between vendors now they've

5:51 just created a keeper vendor they

5:53 onboard their devices everything is

5:56 automatically onboarded encrypted and

5:59 it's just a it's just a very very

6:02 simplest experiences then if you look at

6:05 the second example you have a very large

6:07 uh K-12 School District in the US where

6:11 they've leveraged our iot Assurance

6:13 service to uh to provision a

6:18 personalized psk for each and every

6:19 student and staff member and then in the

6:22 school district so we're talking about

6:23 20

6:25 000 plus devices

6:27 that are associated with with their

6:31 uh identity database this was very easy

6:34 to accomplish at scale and that actually

6:36 helped them because they had this

6:38 identity tracking they were able to you

6:41 know identify uh issues of abusing the

6:45 network by by students uh because they

6:48 had a mapping of a specific device to a

6:51 specific user that personalized key now

6:54 we also had examples of retailers

6:57 specifically in Europe where they they

7:00 leveraged the mpsk solution for for

7:04 their store devices but for them the

7:06 important point was the ease of key

7:10 rotation mechanism so what what you've

7:13 actually uh

7:14 you can actually do is deploy uh deploy

7:19 a key to run it for say six months and

7:22 then say every six months I need to

7:24 rotate this credential so we are

7:26 providing an easy way to let the let the

7:30 customers do the credential rotation

7:32 without affecting buying connectivity so

7:34 they have a Time window when they can

7:36 migrate from the old credential from the

7:39 old key to the new one without

7:40 disrupting the connectivity

7:42 the other one is also very interesting

7:45 example one of the top universities in

7:47 the United States

7:48 due to the compliance requirements they

7:52 used to have open ssids for Olay

7:55 students and iot devices uh they would

7:58 do macauthentication previously they've

8:01 actually moved to uh United Insurance to

8:04 mpsk SSID where we are talking about

8:08 every student having their own psk that

8:11 they actually got using the cell phone

8:13 boarding portal and they also got the

8:16 iot devices like washing machines and

8:19 things like that on that same network

8:21 but they're segmented into a different

8:23 network section and finally one of the

8:27 large Tech Enterprises they've they've

8:30 used the

8:32 mpsk and and the psk identity for just

8:37 giving getting the visibility of all

8:39 their their devices in the lab so

8:41 they're dealing with

8:43 thousands of lab devices that they they

8:46 were having trouble finding before

8:47 because you know their their test

8:49 devices how do you uh how do you want to

8:52 manage them so that was the perfect

8:54 perfect solution for them anyway it says

8:56 from the social media iot Client

8:59 onboarding Solutions for wpa3 uh is that

9:02 something

9:04 wpa3 is something we're looking at we

9:06 are actively investigating how to do

9:08 this right we again we want to avoid the

9:12 uh the MAC address registration thing

9:14 but again we want to do it seamlessly so

9:17 actively investigating okay so just

9:20 closing it out I know you guys are a

9:22 tough crowd uh to please uh hopefully

9:25 you have seen some uh like you know gems

9:27 in what we have done through the

9:28 mystification there are primarily a few

9:30 takeaways simplifying the whole like you

9:33 know what what seems like a colonoscopy

9:35 exercise dealing with creating multiple

9:37 policies simplifying that to the obtains

9:40 degree that is number one all that is

9:42 possible because of a microservices

9:44 cloud architecture and you saw like you

9:47 know how Marvis can now give you and

9:50 Stitch the client to Cloud Journey all

9:52 the way from Association all the way the

9:55 client getting out to the internet and

9:57 authentication authorization being a key

9:59 part of it

Show more