Juniper Networks IOT Assurance, Self Provisioning, and PPSK

0:09 so we'll talk about IIT assurance and

0:12 self-provisioning as sanjo said in the

0:16 beginning oh we've we've showed this uh

0:20 last year we showed this I think even a

0:22 year before where our ID Insurance

0:25 service was designed to uh to solve the

0:29 two specific use cases when we talk

0:31 about access control wireless for iot or

0:34 we can call them unattended devices the

0:37 other one is for BYOD for you know

0:39 unmanaged unmanaged device access to the

0:42 network we are leveraging multiple

0:44 appreciative key concept here but we're

0:46 deploying this at scale so one of the

0:48 things that that we've done was to you

0:51 know eliminate Mac addresses from the

0:53 equation where we are just letting the

0:57 device on board based on the fact which

1:00 here which psk decline client is is

1:03 using we are doing segmentation like

1:06 vlan-based segmentation role-based

1:08 segmentation and we're doing some

1:10 traffic engineering where we can say

1:12 okay this key is going to be channeled

1:15 to DMZ the other key is going to be like

1:18 Liberation and things like that plus

1:19 we've added quite a quite a lot of

1:21 things and the life cycle management

1:26 aspects of the of our mpsk solution one

1:30 thing we haven't showed yet was the

1:33 stealth onboarding or self-provisioning

1:35 aspect of of the iot Assurance which is

1:39 relevant to the by the use case how do

1:41 users uh however how they able to get

1:45 themselves a unique personalized PS case

1:48 let me let me Demo this

1:51 let me just in a second I'm going to

1:53 switch back

1:54 so what we have here is we have a

1:57 concept of a TSK portal that is

1:59 connected to

2:01 a single sign-on in this case this is

2:04 azure like standard sample connector so

2:07 it will integrate into any IDP

2:09 whatsoever we will then say okay if the

2:13 client is authorized and authenticated

2:15 and authenticated using single sign up

2:18 we will create a personalized bsk for

2:21 this specific SSID with this fast phase

2:24 complexity settings and we will

2:25 determine you know how frequently the

2:28 end users will need to rotate their

2:31 credentials so how does the process

2:33 looks like from an end user perspective

2:35 so an end user let me just open it

2:38 somewhere here would go to

2:41 at the Escape portal and we'll then

2:44 redirect

2:46 one second

2:49 I should not have anything clashed so it

2:52 will then redirect to a single sign-on

2:55 for authentication so I'm going to just

2:59 log in with my test account in azure

3:02 so if you have MFA in the Fable kick in

3:04 at this point as well it will then

3:06 bounce back to our the Escape portal it

3:09 will generate a unique passphrase for

3:12 that specific user taking your username

3:15 picking your email address from Azure as

3:18 the key name so you have the identity of

3:20 the user attached with the with the

3:22 passphrase it generates the QR code that

3:25 you can either scan with your with your

3:27 camera or you can actually if you're

3:30 running this from a mobile device you

3:33 can click on the QR code it will ask you

3:35 to join the network so I'm going to just

3:36 demo this real quick I'm going to take

3:39 my

3:41 device I'm going to turn the Wi-Fi on

3:43 I'm gonna open up a camera app I'm going

3:45 to point to this QR code it will ask me

3:48 to join the network

3:51 set

3:55 I am now connected to

3:58 to this network that's really it right

4:00 so you're generating a unique user

4:06 specifically you can connect all of your

4:08 uh all of your devices so

4:12 that uh

4:14 that that will use that key without

4:16 registering the Mac addresses none of

4:18 that right

4:19 and it's completely self-service the

4:21 same thing we are even extending that to

4:24 uh to let the users rotate their

4:27 credentials as and when they need to

4:29 read so that's completely uh off of ID

4:33 hence now what you'll see from the

4:35 visibility point of view you will then

4:37 look at the psk that you see the psk has

4:41 been created for that specific user we

4:43 now see a client devices that are active

4:46 uh for for that given uh for that given

4:49 psk you would see them as they come in

4:52 you can see the historic usage of that

4:54 key etc etc that's the dyad portion but

4:58 what I wanted to also show is what what

5:03 are the outcomes what how we actually

5:05 were able to help customers over over

5:08 that last one year so if we look at at

5:12 this slide uh We've we've done a number

5:15 of use cases so we can look at the first

5:17 example where you know a fortune 75

5:21 retailer uh used our iot Assurance to

5:25 simplify on boarding out there demo uh

5:28 devices or vendor demo devices in the

5:31 stores and they've removed the the uh

5:35 the requirement of dealing with Mac

5:37 addresses so previously they were having

5:39 to register every single Mac address of

5:41 every single device that they had in

5:44 each and every store in order to onboard

5:46 them in their specific VLAN for for

5:48 isolation between vendors now they've

5:51 just created a keeper vendor they

5:53 onboard their devices everything is

5:56 automatically onboarded encrypted and

5:59 it's just a it's just a very very

6:02 simplest experiences then if you look at

6:05 the second example you have a very large

6:07 uh K-12 School District in the US where

6:11 they've leveraged our iot Assurance

6:13 service to uh to provision a

6:18 personalized psk for each and every

6:19 student and staff member and then in the

6:22 school district so we're talking about

6:23 20

6:25 000 plus devices

6:27 that are associated with with their

6:31 uh identity database this was very easy

6:34 to accomplish at scale and that actually

6:36 helped them because they had this

6:38 identity tracking they were able to you

6:41 know identify uh issues of abusing the

6:45 network by by students uh because they

6:48 had a mapping of a specific device to a

6:51 specific user that personalized key now

6:54 we also had examples of retailers

6:57 specifically in Europe where they they

7:00 leveraged the mpsk solution for for

7:04 their store devices but for them the

7:06 important point was the ease of key

7:10 rotation mechanism so what what you've

7:13 actually uh

7:14 you can actually do is deploy uh deploy

7:19 a key to run it for say six months and

7:22 then say every six months I need to

7:24 rotate this credential so we are

7:26 providing an easy way to let the let the

7:30 customers do the credential rotation

7:32 without affecting buying connectivity so

7:34 they have a Time window when they can

7:36 migrate from the old credential from the

7:39 old key to the new one without

7:40 disrupting the connectivity

7:42 the other one is also very interesting

7:45 example one of the top universities in

7:47 the United States

7:48 due to the compliance requirements they

7:52 used to have open ssids for Olay

7:55 students and iot devices uh they would

7:58 do macauthentication previously they've

8:01 actually moved to uh United Insurance to

8:04 mpsk SSID where we are talking about

8:08 every student having their own psk that

8:11 they actually got using the cell phone

8:13 boarding portal and they also got the

8:16 iot devices like washing machines and

8:19 things like that on that same network

8:21 but they're segmented into a different

8:23 network section and finally one of the

8:27 large Tech Enterprises they've they've

8:30 used the

8:32 mpsk and and the psk identity for just

8:37 giving getting the visibility of all

8:39 their their devices in the lab so

8:41 they're dealing with

8:43 thousands of lab devices that they they

8:46 were having trouble finding before

8:47 because you know their their test

8:49 devices how do you uh how do you want to

8:52 manage them so that was the perfect

8:54 perfect solution for them anyway it says

8:56 from the social media iot Client

8:59 onboarding Solutions for wpa3 uh is that

9:02 something

9:04 wpa3 is something we're looking at we

9:06 are actively investigating how to do

9:08 this right we again we want to avoid the

9:12 uh the MAC address registration thing

9:14 but again we want to do it seamlessly so

9:17 actively investigating okay so just

9:20 closing it out I know you guys are a

9:22 tough crowd uh to please uh hopefully

9:25 you have seen some uh like you know gems

9:27 in what we have done through the

9:28 mystification there are primarily a few

9:30 takeaways simplifying the whole like you

9:33 know what what seems like a colonoscopy

9:35 exercise dealing with creating multiple

9:37 policies simplifying that to the obtains

9:40 degree that is number one all that is

9:42 possible because of a microservices

9:44 cloud architecture and you saw like you

9:47 know how Marvis can now give you and

9:50 Stitch the client to Cloud Journey all

9:52 the way from Association all the way the

9:55 client getting out to the internet and

9:57 authentication authorization being a key

9:59 part of it