Juniper Mist Access Assurance (NAC)

0:10 hello everyone I'm Slava I'm doing Knack things uh in Mist obviously nothing is

0:16 as exciting as the namic Spectrum capture but we will talk about knack for

0:21 the next 30 minutes I'm actually go go through this quickly this first section

0:27 we've actually announced our access assurance exactly one year ago at MFD 9 so we're

0:33 exactly 12 months past the product launch we started from zero and for those of you who haven't seen it don't

0:40 know what it is this is our cloud-based Knack offering that's a you know a native part of the dashboard it's

0:47 natively integrated into the junip permiss post stack infrastructure and it also works with third party uh network

0:55 devices whatever uh you know vendor uh you're you're you're working canest now

1:01 where did we get to after these 12 months uh we we are seeing excellent

1:07 growth over the last year we really have hundreds of customers on board now and this is production not Pilots not Labs

1:15 real production customers this adoption we are seeing worldwide across all GEOS

1:20 across number of verticals but one important metric I want to actually focus on is since product Louch we've

1:29 had 4 software updates to our Knack infrastructure or what we call in production pushes with zero operational

1:37 impact for customers so now think about this metric and think about you know how

1:44 many time times you've DED to upgrade your on premack infrastructure in the

1:49 past 12 months and how successful was it right we've done it 14 times so 40 time

1:55 times without any impact we're introducing new features U you know security updates things like that in

2:02 addition to that we we keep expanding our you know Knack Knack pod

2:07 infrastructure across the globe I'll talk about our high availability story a

2:12 little bit later on when it comes to uh

2:17 customer adoption right we we are seeing success in uh Enterprises starting from you know large

2:25 it service management company that deployed this worldwide uh we have one of the top three security companies

2:32 running our knack for their corporate Network or one of the you know top

2:39 identity management uh company we have lots of K to2 large school districts in Europe in

2:47 the United States in Asia pack again there's tremendous growth that we are

2:53 seeing across multiple vertical when it comes to to our access assurance

3:00 but now I'm going to actually go into the you know technical bit of uh of of

3:06 our presentation we we'll talk about things that we've added in the past 12 months or things that are coming uh

3:12 coming up soon so number one is oh we've actually uh introduced uh to

3:21 production the easy way how you can do endtoend posture validation for your uh for your

3:28 managed clients so traditionally if if you have experience with any traditional

3:34 Knack vendor this means installing an add-on agent uh making sure it's up

3:39 toate making sure it's actually deployed to your end points doing all sorts of things it's it's been incredibly complex

3:47 to deploy and that's why you're not actually seeing a lot of it out in a while the way we've actually done it is

3:53 we said okay most of these devices are actually managed right so they're managed by your uh MDM or uem platform

4:02 whether it's you know in tune Jam AirWatch space workspace one uh and all

4:10 these all these platforms they already know everything there is to know about

4:15 the CLI they already have an agent installed they already have the data they already have the compliant policy

4:21 rules that that are actually in place so the way uh we integrate is we do Cloud

4:27 to Cloud integration from our Assurance to these three providers we get the

4:34 compliant status of the device as it connects to the network based on that we can say okay if you're compliant from an

4:41 MDM point of view you you can get on and get unrestricted access right if you're

4:46 non- compliant something changed uh in your setup maybe you disabled your firewall forgot to update uh your uh

4:53 your software go to uh quarantine uh vline quarantine uh role and fix your

5:00 problem and then come back right and the way we've done the integration I I'll do a demo on how uh

5:09 how we can set this up is we can actually link the account right in the

5:14 Miss dashboard we we'll take a look at the InTune Microsoft InTune as an

5:19 example it will just say link Microsoft InTune account what this will do is it

5:24 will actually redirect you to um uh Microsoft for sign in you'll need to log

5:30 in with with an admin account that has permissions we'll say we'll need to uh

5:37 get these permissions to read all the in manage device data click accept voila

5:42 you're integrated right the next step is okay you have the connector working the next

5:49 step is to actually uh implement this in your policies where you can say we'll

5:55 actually look at this example where you have wireless devices that are compliant that are doing machine

6:00 authentication uh and uh we also have a rule of for wireless non-compliant

6:06 devices so basically on the left hand side you're matching on the compliance status and any additional attributes on

6:12 the right hand side you're applying your either unrestricted vlon or unrestricted

6:18 or restricted quarantine vlon depending on the compliance status very you know very easy very straightforward to to set

6:25 up what's important is actually go to

6:31 the next part of the demo is again the the integrated visibility so one of the things that we really are proud of is

6:39 we've we've brought all the uh client level visibility into one place both

6:44 from the network point of view as well as from The Knack point of view so you can actually look at the client history

6:50 as it uh as it goes through all of the authentication authorization all of your

6:55 preconnect stuff as well as all of your postc connection uh things so in this case you're actually seeing client

7:01 connecting for the very first time doing TLS it's actually hitting the

7:07 non-compliant certificate off rule because we don't know anything about this client yet this is the very first

7:13 time it connects we then do a look app o we then do uh an MDM

7:20 lookup which is actually going to jump since this is actually an Apple device

7:26 so we're going to jump jump tells us this is a compliant device will do a dynamic COA right then and there and

7:32 client re authenticates at and at this point client goes through the reauthentication process we now know the

7:40 compliant status and we hit the Right Wireless compliant user policy rule we

7:45 click on that it will actually tell us okay this client now now is compliant hitting this poish rule right so we've

7:54 simplified a end to end posture of uh it's again natively integrated into act

8:02 Assurance right there in the in the McLoud dashboard I'm gonna pause before move to

8:09 the next question does this this only works on A2 andx Wireless uh correct it works for1

8:18 x1x clients because typically uh clients that are MDM

8:23 managed they they do support that 1X they you know they have profiles and uh

8:29 you you're not going to do that for your for your printers for example SL I have

8:35 a question here sure so with the Knack capability do you have options to

8:42 install the certificates by the admin directly without onboarding or is

8:48 this you should onboard your own clients or do you have both uh I will talk about

8:54 onboarding in the next session like in in about a minute all right

9:00 so but uh today today the way we the way we integrate is uh we assume the you

9:08 know customer has their own uh pki infrastructure it's already connected with your MDM it can issue certificates

9:15 we're just trusting that P infrastructure and and this is how we do

9:20 you know all the epls authentication I will talk about the on boarding uh in

9:26 the the next slide okay

9:33 all right let's switch gears and talk about Ed or higher education in general

9:38 so uh one of the one of the asks from pirat was you know could you guys

9:44 actually start integrating with Edom uh it's it's tremendously popular pretty

9:50 much every institution out there has Edom s Sid but with Ed your own uh you

9:57 have uh your home users that are part of your campus that you know that are part

10:02 of your institution that connect on in your campus but you also have visitors from external institutions that

10:07 authenticate on your campus but you need to connect everything together and this

10:13 is this is what adum uh what is for now

10:19 when we uh move to the cloud world uh we we've actually had conversations with

10:26 multiple Ed roome nro or natural r operators in in United States in in

10:33 Europe everyone has a you know a different perspective of how things should be done but everybody agrees that

10:40 uh a good old Legacy radius proxy is the way to go so the way access Assurance

10:47 integrates into Edon Federation we are actually leveraging M Edge as a Gateway

10:54 into edum right so you're majority of your authentications all of your home users like 90 plus percent of your

11:01 authentications go go to Cloud access Assurance handles that anything that

11:07 that concerns external visitors or home roaming users it goes to access

11:12 assurance and then room estage goes to to Ed right so we've added that uh and

11:19 this this part is really the authentication piece the authentication

11:24 integration into uh into Ed uh and this is in production today

11:31 since early early this year now the next topic and I will actually do another

11:39 demo of the policy setup where you can actually before you move on from edome I

11:45 I'd like to ask a question it's hard to talk about edome without talking about open roaming cellular carrier offloading

11:51 what does that look like in the next solution here oh so when you when you talk about

11:56 the cellular offloading so one of the things that that you see in edome community and this is still in in its

12:03 infancy is actually adoption of uh open roaming right where edome has its own

12:11 open roaming Ri so that means that whenever you on a mobile device and

12:17 you're on a cellular network and if you're in the vicinity of uh of Ed roome

12:23 it will actually try to roam from that cellular connection to Wi-Fi using open

12:29 roming however we don't see this really uh deployed in the wild yet we see some

12:36 some institutions trying this but again um in terms of user

12:43 experience it's pretty much the same as you have your save that your own profile you're you're in cellular uh call or

12:51 you're in LT 5G whatever you walk by the University Building you go to

12:58 on automatically and you get on with your Wi-Fi

13:03 calling so okay was that your question about

13:08 more you know open roaming and well I I it was about open roaming support but then I inferred that yes it's appears to

13:15 be fully supported based on the context of his answer so corre it is it is it is fully supported yeah it is fully

13:21 supported I got just to follow up to Sam's question or a little bit different though um anything uh or are around Sim

13:31 authentication like so for example you know there's there's deployments where there's cbrs deployment or private

13:37 seller deployments and then there's uh Wi-Fi so if we're using misn um I can

13:43 use basically the Sim that's authenticating into my cbrs network and also somehow integrate into the misn and

13:49 can also authenticate me on um onto Wi-Fi also without having to use certificates or I don't know any any

13:56 other traditional it's a it's a good question Ali we we've had multiple conversations with private

14:03 5G providers on how to achieve this nothing is available right now right but

14:08 uh we we are looking at there there are challenges in terms of you know how do you uh uh who will M maintain the the

14:16 user base right so all of the all of the Sim registrations uh it's basically

14:22 becomes another identity provider for us right so uh there are conversations and

14:28 uh you know we're we have aspirations but nothing to share at this

14:33 point okay all right so let me just quickly

14:40 demo the edome policy setup right so primarily use case right when when what

14:46 we see in institutions is you want to uh differentiate your home users that are

14:52 on campus versus your visitors and typically you would drop your visitors

14:57 into I guess Network and you'll drop drop your home users uh into a student

15:04 or staff Network depending on on who they are and again this is very easy to achieve with our off policy page you'll

15:11 just say okay if you're connecting to Ed if you're part of our uh you know

15:17 institution identified by the realm so for example I don't know dark mo.edu things like that then you go to the

15:24 right and we're just dropping you to the student network if you're just connecting to Edom ssad and you're not

15:31 part of our uh home organization then you can connect and go to guest again

15:38 super simple to set up uh very easy to track who gets what access within within

15:45 the M dashboard okay so the next question would be what about uh user on boarding

15:52 specifically with Edon because in Edon most of your client population is actually BYOD not managing

15:59 them those are your student devices and you know problem number one or actually not a problem just a you know just a

16:06 statement uh traditionally in edome you would see customers using peep majority

16:12 of Institutions would would use Peep and just expect the end users to uh

16:17 configure their devices with username and password and things were kind of working most of the time uh the issue

16:24 started when first Android introduced some uh uh some restrictions on manual

16:31 configuration of pip when it comes to certific server certificate verification

16:36 then Microsoft went in and said actually there's going to be this credential guard feature that's going to disable PE

16:43 by default you can enable it back in registry good luck to end users so things are getting uh getting

16:51 complicated for PE rightfully so there's lots of uh you know security issues with

16:56 with the msp2 in general now your alternative is what epls it's

17:02 great from a security point of view it certificates on both sides but obviously the question is how do you provision

17:07 your clients especially in higher red uh situation you have U multiple options

17:14 today you have Edon provided tools Legacy cat tool that's only do in pport

17:20 dtls you have get Edon tool which is a new one relatively new one it does

17:25 support ftls with certificate provisioning uh and uh the issue is it's

17:31 not yet available everywhere for all of the adom nro but it it it gives you that

17:40 capability there's also you know commercial on boarding Solutions like secure W2 and we you know we partner

17:46 with them they do great products and great on boarding solution now the question we uh we always get is do are

17:55 you guys planning to do something are you guys doing something so

18:02 let's go and talk about our aspirations so this are this is what we are what we

18:07 are doing for the second half of this year uh similarly to what we already

18:13 have with the psk on boarding the psk portals that we've launched some time

18:20 ago actually a couple of years ago at this point uh we are introducing a

18:25 concept of a knon boarding portal which can be attached to your single sign on or your University or your organization

18:32 single sign on through saml based on that SSO the end user will get a a promp

18:39 to download an app to install an app an app will provision the the client with a

18:44 certificate with a Wi-Fi network profile or wired network profile depending on

18:50 you know what what your preference is now we'll we'll take a look at one demo

18:56 so this is where uh uh this is an Android device it's already sitting on the knon boing portal we already have an

19:03 app installed we we'll just uh really have this prompt where it says okay do

19:09 do you want to download an app or do you want to continue to join the network we'll just click continue it opens up to

19:16 Mar uh Mar Client app it does the provisioning so installs the certificate

19:21 it installs the Wi-Fi profile it says okay you're good to go click finish uh

19:28 it it then connects to that uh Wi-Fi network with your uh credential but

19:35 what's important is this let me actually stop here this is the important bit so

19:41 we didn't want to just do the onboarding because as I said there are tools that are doing that

19:48 today quite a lot of them we also wanted to extend this to to our Mar client

19:55 support So by doing the on boarding you're actually enabling Marv client

20:01 within the same app and that Marv client sends Telemetry back to our Cloud where

20:08 we can marry things together so let's look at what what you can get you can go to Marvis clients you'll see all of the

20:16 devices that are currently online all of the Marvis clients you'll see all of the

20:22 data that we are able to gather from them from a fingerprinting point of view so uh device model exact driver version

20:31 what OS version is installed everything that Marvis C gives us uh but most

20:37 importantly uh we then can go to uh a specific client I just look at that

20:45 Android device and when we go inside a client the first thing we see obviously all of

20:52 the visibility that we have from the network and from The Knack point of view but what you'll also see

20:59 what scen one second sorry what what you'll also see uh is the client

21:07 reported events on the on the top right and this

21:13 is this is what Marv client brings you so what what you'll see is all of the

21:19 events that that we are able to pick up from the client itself so when it

21:24 reports uh unsuccessful ROMs because it's actually stick a client right

21:30 because it we know the client Hears A Better AP where where it's at but it

21:35 decides to stick with the uh with the current one we know uh when when the device is locked or

21:43 unlocked we we can analyze that from a client perspective right in addition to that uh

21:51 when you look at the roaming of clients right the the famous roaming of graph

21:58 that we always showed many years before we can actually

22:03 now see all of the client reported APS which APS client can

22:11 hear during during C certain period of time now this comes from the Marvis

22:17 client itself and when you look at the larger time frame you can see as the client was

22:25 moving or as the client was roaming between the AP P you also see all of the client reported data uh in in addition

22:33 to that right so you can now correlate the the two together so we're basically doing an

22:40 onboarding and we're doing Marvis client in one package is there an opt out for

22:46 that other than the stop button I just that seems super sketched like security

22:53 wise you can track students you can identify where people are and when they are and where they are you can track

22:58 employees you can just seems like there's a lot of that's a lot of information that that people are

23:05 downloading a client to connect to the network and oh by the way we're also gonna correct so this is a choice this

23:12 is a choice and this is a choice from a portal portal per se so you can say

23:17 enable Marvis Telemetry or disable right that's up to you so you can just do the own boarding that's perfectly fine or

23:25 you can you can do on boarding and Telemetry is that at org level or is it individual it's a per portal so you can

23:33 create multiple portals and you could say a portal one is attached to the SSO for our staff where we will enable

23:39 Marvis cemetry Portal 2 is for our students for example and this is where

23:45 we will disable to lry just the own boarding can I get a clarification on the Marvis client is by using the Marvis

23:53 client and get and showing all that metrics that you showed is that a requirement to have Miss Knack okay no absolutely

24:02 not yeah but this is an addon so we we're really solving the uh onboarding

24:08 problem when uh when customers don't have their own P they don't have any way

24:15 to deliver certificates to clients right so this is primarily B so Slava so the

24:21 uh the Maris client is morphing to have multiple personas and those personas can be enabled or disabled and um from a

24:29 client perspective the Marvis client Telemetry um requires permissions from the device itself from the user in the

24:36 device yeah yeah okay uh and one more thing by the

24:43 way oh while we are doing the the onboarding for bod devices since we we

24:50 are introducing our new pki service this will also let you integrate into your

24:57 MDM for your corporate devices for your managed devices so this way your MDM can fetch the certificate from from us and

25:05 and issue it right so we are actually introducing a whole new PPI service not

25:11 just a b boarding it is I ke you just asked a question is this IOS and Android

25:17 I thought I saw that it was both oh the onboarding is for iOS

25:23 Android Windows and Mac and just to kind of confirm you said that it will

25:28 integrate with the MDM it will grab the client certificate and then it will just install that certificate as part of the

25:35 onboarding process is that what uh so treat this differently Marvis client

25:41 is pure byid right no MDM no nothing right okay it it will do the certificate

25:48 provisioning on its own the the Marvis client is what's going to deliver the certificate right for your managed

25:55 devices let's say in in Enterprises in you know in any other verticals where

26:00 you manage devices and you don't have your pki but you have your MDM that's you know a typical scenario today you

26:07 can say I'm going to use my MDM talk to M as the uh CA server and this is how my

26:14 clients will get a skirt okay so if somebody does not have a ptii then they can just use this okay

26:22 they yeah they can use ours I'm sorry is there you said there's

26:27 an onboarding SSID that runs that pushes this app to you is that how it works

26:33 it's an onboarding portal Kevin and it's uh it's an outof band portal so you can

26:38 access it you know from your LT from any onboarding SSID if you will it's just

26:45 it's a portal which will me go back okay is this available for anyone or

26:54 this app only like a private app uh it's a it's an that you will be able to download from Google Play Store and and

27:02 app store it's a store app yep

27:07 sure okay so one one more question does the app so

27:15 say you download the app and you go to two different venues unrelated customers

27:20 will the app know that you're on a different network you won't connect to a different

27:25 network with that or it's an or specific unless

27:31 unless the other work will actually trust the certificates issued from the org one okay so if I I download this for

27:39 one venue one retailer and I go to another venue I have to redownload the

27:44 app or how would that work uh so think of this as this is not really a guest

27:50 onboarding right for guess this is not what we would recommend this is really bring your own device okay Ty situation

27:58 where you first authenticate the user through single sign on so it needs to be an employee needs to be a student

28:04 somebody who's part of your organization and then we would uh you know let uh the

28:10 app download and app will provision a certificate would you imagine something like this being enabled for open roaming

28:17 for example like same like offering the same type of client to make open roaming that much more seamless and then still

28:23 being able to use that as an endpoint to gather all the Telemetry and data that you need

28:29 everything everything is possible with this yeah absolutely so open again open roaming today right as it grows there

28:36 are so many idps today uh that's just you know

28:42 that's for for open roaming you said that you guys support it do do you guys have an option like a oneclick button

28:49 that uh configures your network to support open roaming today we do so we actually yeah

28:58 it connects you to all the idps uh so the way this works is uh you

29:04 enable open roaming uh as your uh pass Point pass Point operator we actually

29:11 simplify that you literally just say I want open roming on my SSID and then uh

29:16 we would use uh you know our our backend to talk to open roming Federation so it

29:23 will work with any IDP okay thank you awesome

29:28 so Slava one more question okay so the KN capability and pki is does it come

29:34 together or they are separate offerings different subscriptions uh it's a it's an

29:39 additional subscription for pki service and and on boarding okay

29:46 thanks okay uh in the interest of time uh since we I think already passed uh

29:53 let's talk about one last thing we'll talk about our high availability High reliability story and we've brought this

30:00 up last year again we are at the point where we have the you know worldwide

30:07 presence when it comes to access insurance spots so the way our redundancy and high availability works

30:13 is we detect from uh where your authentication request comes from so if

30:19 you have sites in uh you know in in France you have sites in uh in on the

30:24 east coast in the United States we would automatically redirect that authentication requests to the nearest

30:29 Port we have deployed uh in that GE similarly if one of these ports go go

30:35 down we will steer that traffic automatically to the next nearest spth

30:40 so today we've done this at the you know global global level it's deployed

30:47 worldwide but the obvious question is uh you know for customers specifically in

30:54 in in verticals like healthcare where you have cr locations where you need to

30:59 survive uh you know internet and power outages so let's say you have a hospital

31:05 and then the the power goes down the whole Hospital goes offline then it comes back up everything is online but

31:11 your router is down and your ISP is down you don't have any connectivity so you don't have any caching as well because

31:17 everything just rebooted 5 seconds ago so what do you do so what we are doing

31:23 is we introducing a concept of uh s survivability in the normal condition

31:28 when cloud is reachable and you know all our infrastructure can talk to our Cloud

31:33 everything goes to access insurance everything goes to the cloud cloud that be heavy lifting but at the same time uh

31:40 we are actually building up a cache on a local mised that will be acting as a

31:45 will be running this cashing service so it learns about every client that's uh that's actually authenticated and

31:52 authorized and it caches the the policy on that m for that specific

31:59 location is there is this a configurable parameter because there would be places

32:05 where you want that cat very short and where you want it very long okay uh but

32:12 you know the typical thought process is you look at historical clients because you want to uh you want to see that if

32:19 uh if you see clients online on site for a period of of a couple of days you want

32:25 to make sure that when things you know when one becomes enrichable these

32:31 clients can authenticate and they get placed into rightand policy Etc so we we're going to cach that on the M for

32:37 that location now when things go south and your cloud is

32:44 enrichable for whatever reason M starts its authentication Service using the

32:50 cash that it already has and this cash survives the reboot so we we will survive you know power outages as well

32:57 so so at that point all your local infrastructure your APS and switches will talk to the m m will do the

33:03 authentication so everything that we've cached we will authenticate your1 X and

33:09 map clients and we will return all the policies that we you know we we've cached for the for the past uh for the

33:16 past days new clients can still connect an authenticate but at that point they will be assigned like a default what we

33:23 call a critical service policy like you can configure which Vine they will be dropped into which policy will will get

33:29 assigned and and this is where we we really wanted to create a site

33:34 survivability concept that would not make us put uh the full-blown neck on

33:40 Prem we didn't want to repeat the mistakes of the past so we really wanted to make this service very lean and tidy

33:46 right it's just going to cash uh pout is still going to do all the heavy lifting

33:52 but in case we need to survive like a a full one outage full internet outage we

33:58 we can