IT network teams face a dilemma when it comes to BYOD and wireless LAN access. They don't have the resources to manually configure hundreds of personal devices, yet asking users to configure their own clients invites
Until recently, IT departments were able to use desktop management systems and Active Directory Group Policy Objects (AD GPOs) to auto-configure enterprise WLAN credentials and settings on company-issued laptops. Unfortunately, those tools generally can't be applied to smartphones or tablets.
With newer automated WLAN onboarding tools, users can choose a designated SSID and be led to a captive portal splash page to log in and accept terms of service. This can immediately route users onto a somewhat limited guest network, but this is only a first step. Generally, enterprises need tools that can go deeper and assign access based upon policy. That's where configuration tools come into play.
Self-configuration tools for WLAN access
The goal of automated WLAN onboarding tools is to allow users to configure connections without requiring IT assistance. Many Wi-Fi smartphones and tablets permit users to configure network connection settings, including WPA2-Enterprise EAP parameters and server/user certificates. For example, once users are allowed access to an open enterprise "guest" WLAN, they can access a URL to download a configuration profile. That can get complicated, so some organizations now use platforms such as Cloudpath Networks' Xpress Connect, which automates portal-based WLAN connections for Windows, Mac OS X, Ubuntu, Android and iOS users -- including ActiveX for unmanaged Windows BYODs.
This approach automates and simplifies WLAN onboarding by minimizing dependencies to accommodate diverse devices and ownership. It can even be integrated with enterprise directories and certificate authorities to install different WLAN credentials for each authenticated user/device. However, this approach doesn't enable configuration updates or ongoing enforcement, nor can it be extended to meet other BYOD needs.
Provisioning platforms that go deeper on WLAN access policy
Automated WLAN onboarding can get more specific on access policy when integrated with traffic inspection functions that are built into the network. In this scenario, a "vanilla" captive portal can offer every user the same self-install links and opportunities for guest networking, but then WLAN access points (APs) can be configured with client classification policies that offer a more fine-tuned network access.
Aerohive Networks' HiveAPs, for example, can be configured with client classification policies that automatically redirect personal devices based on Wi-Fi MAC address prefix, fingerprinted operating system and device domain. These classifications could be used to apply different firewall rules to, say, unknown Android tablets as opposed to recognized iPads. Through this method, recognized iPads might be redirected to a platform that installs an iOS configuration profile based on an observed username, while unrecognized devices could be redirected to a portal where users can receive individual PSKs and thus join a WPA2-Personal secured WLAN.
This approach focuses on using the network itself as well as its traffic content to automate WLAN onboarding. Combining WLAN traffic inspection and firewall capabilities with device and OS fingerprinting streamlines the steps users may have to take in order to connect their devices to the network. Broader BYOD management may, however, require additional steps or IT resources.
Mobile device managers for auto-enrollment
Mobile device managers (MDM) can help IT shops implement more complex policy that allows access by user, or group, device ownership, make and model, OS level, configuration and integrity. They can also update settings to reflect ongoing changes in WLAN design and enforce real-time policies that address BYOD misuse or compromise.
More on BYOD and network access
School district smartens up with wireless intrusion prevention system
BYOD policy:goes beyond onboarding and security
NAC technology transitions for a BYOD world
Using this approach, users that connect to an open enterprise "guest" WLAN are redirected to an MDM enrollment page. (Alternatively, users could be sent email or SMS notifications containing personalized enrollment URLs.) Upon visiting the enrollment page, users are required to log in or supply an activation code, at which point the MDM can compare user or group, ownership and device details to policies that determine provisioning. If a personal device is accepted, the system issues a device certificate and configures the device with many settings and applications, including enterprise WLAN credentials and connections, enterprise VPN tunnels and enterprise mail settings.
Dozens of MDM products support full device enrollment and can be used to automate WLAN onboarding. Some have been specifically integrated with WLAN infrastructure. For example, Meraki offers a free basic MDM to its Enterprise Cloud Controller customers. Aerohive collaborates with JAMF Software LLC to provide automated MDM enrollment of Apple devices. Aruba Networks Inc. offers a ClearPass Access Management System appliance that integrates with third-party MDMs through published APIs.
These are just a few examples of ways to integrate WLAN infrastructure with MDMs and other tools for automated BYOD access provisioning. There are a host of other strategies, and even more will emerge. If you're shopping for a way to manage BYOD and WLAN access, start by asking both WLAN and MDM vendors about their approach to WLAN onboarding and be sure they take automation, flexibility and device diversity into account.
In part 2, see how the University of Pennsylvania tackled automated WLAN access for BYOD.
About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.
This was first published in January 2013