让我们抬起引擎盖一秒钟,看看用户连接到“员工安全”时发生的事情。在这种情况下,它已使用称为PEAP或受保护的可扩展身份验证协议的身份验证协议启用了802.1X。为了不太“解决”过多的利益,不要让PEAP更进一步定义这一点,以提供一种机制来利用用户现有的Active Directory凭据,以允许网络验证尝试连接的用户的身份。也就是说,设备和网络身份验证服务器之间建立了安全的连接,并交换了用户凭据的哈希版本,以对用户进行身份验证并授权用户以供网络访问。
The component in the network that ends up doing all the heavy lifting in this transaction is the network authentication server mentioned above. This server is what is commonly known as a AAA server. AAA standing for Authentication, Authorization and Accounting and leverages a protocol called RADIUS for communicating with network infrastructure like WiFi Access Points.
因此,AAA服务器如何帮助解决我们一直在讨论的一些BYOD摩擦,并消除依靠人类行为的变化来影响安全策略的需求。这一切都始于您选择AAA服务器以及该技术可以帮助您定义业务规则的能力。这些业务规则成为您的BYOD政策的骨干,并允许其在其公司网络上获得对个人移动设备的可见性和控制。
Traditionally AAA servers have been very utilitarian and transactional by nature, providing binary results for network authentication. For example, user name and password correct equals OK and user name and password wrong equal Not OK. The opportunity to get in the middle of that decision and leverage context of the transaction either didn't exist or required configuration or scripting beyond the patience of many a network administrator.
What sort of context are we talking about in a RADIUS transaction? It turns out there is a wealth of data that can be used as input into your business rules and can help shape the way different devices are admitting onto your network. Some examples of this context could be:
- 是通过有线或无线连接的用户,
- 如果无线是门厅或安全区域中的设备,
- is the connection being attempted outside of normal business hours,
- 是Active Directory中的用户帐户还是来宾数据库
And the one we have been looking at in the 'employee-secure' example:
- is the device attempting to authenticate using just user name and password (PEAP).
当您拥有正确的技术时,建立驯服BYOD的业务规则变得容易得多。启用了策略的AAA服务器,您可以开始构建简单的规则,以解决今天的常见问题;连接到您的公司网络的未知员工拥有的设备。更重要的是,这些相同的规则将使您能够捕获这些未注册的设备,并通过BYOD友好的自助服务工作流进行指导。我们知道用户将尝试连接到现有的公司WiFi网络,无论是基于802.1X PEAP还是简单的来宾网络。当启用策略的AAA实际上可以利用这种情况并推动用户自我注册时,为什么要尝试改变此行为。同样,不要试图改变用户行为;相反,使技术利用其现有行为。
下面的示例显示了一个政策规则that is detecting a user authenticating with PEAP based authentication and is differentiating this from the second rule that is detecting authentication transactions based on EAP-TLS. This alternate 802.1x authentication method leverages unique client certificates per device instead of the users Active Directory credentials as is the case with PEAP.
As you can see, there are two distinct actions that are being enforced based on the policy differentiation between the PEAP and EAP-TLS transactions. If the user is authenticating with PEAP, the device in placed in a BYOD Provisioning state. On the other hand, if the device has already been provisioned with a TLS client certificate, we know this device has already enrolled and can be placed in a BYOD Limited Access Zone.
How does this policy rule change the way these devices are admitted onto the network? This is where RADIUS comes into play and is the language spoken to the network infrastructure to communicate business rules. The example above had two policy enforcement states of 'BYOD Provisioning' and 'BYOD Limited Access Zone'. The RADIUS protocol allows the AAA server to signal to the network how each device should be controlled after successfully authenticating.
For example, the 'BYOD Provisioning' state results in the WiFi Access Point quarantining the device and redirecting any attempts to browse to the Internet to a BYOD provisioning portal. From there this user can be further authorized for BYOD enrollment and provisioned with a corporate issued BYOD credential such as a TLS client certificate. Now this BYOD provisioning workflow could be hosted by a Mobile Device Management (MDM) platform or this could be a BYOD onboarding feature built right into your AAA server but this is a discussion for another day and another blog post. The question of how to provision the device for BYOD access isn't really the focus of this blog but moreover how policy enabled AAA can enable an employee self-managed workflow for BYOD enrollment.
Why is this important? We didn't have to change user behavior and were able to automatically detect the presence of an un-enrolled BYO device and guide it through the provisioning workflow. Secondly, the arrival of BYOD at your doorstep does not typically signal an increase in IT headcount to support these devices on your network. Being able to guide users to a workflow that auto provisions their device with all the required network settings, device settings and potentially even required business Apps, without needing to log a single help desk call has to be central in any BYOD planning exercise.
最近,我们会见了一位客户,他慷慨地向员工赠送了几千片,以奖励财政年度的奖励。该客户对设备管理解决方案进行了投资,该解决方案依靠向员工发出邀请来注册其设备。当这些用户面对响应此IT治理电子邮件或使用新平板电脑的选择时,您可以猜测他们选择的路径。要使用平板电脑,您必须将其馈送互联网,这些平板电脑只有WiFi接口。在他们可以做任何事情之前,已经有很大一部分已经连接到WiFi网络的平板电脑,并基于仅旨在处理公司发行的笔记本电脑的毯子身份验证策略访问内部IT资源。部署启用策略的AAA解决方案将通过收回对BYO设备(公司访问层网络)的最大入口处的控制来解决此客户问题。
启用策略AAA是任何成功的BYOD部署的重要组成部分,是其他免费技术(例如设备分析,MDM和移动应用程序策略管理)的基础。
如果您想了解有关Aruba提供的启用策略AAA的更多信息,请在以下链接上查看ClearPass产品线:
