BYOD

1. Is recommended to follow and read the overview about openNAC solution.
2. To deploy an openNAC technologies is required to understand and follow network requirements.
3. As soon as you have deployed the openNAC is recommended to select the proper use case that fits with you requirements.
4. Selecting the use case, an scenario must be configured to covert as much as possible customer needs.

This page shows which steps are required to configure BYOD based on.

1. DEFINITION

This scenario allows to authenticate the personal devices connected to your corporate network using the internal users credentials from your local user Database as LDAP, AD or even openNAC DDBB.

2. MECHANISMS (How does it work?)

Using AAA (Authentication, Authorization and Accounting)approach openNAC can perform a Network Control Access.

1. When the host is connected to a switch interface the switch asks if the host has supplicant. If the host has supplicant, it’s sends authentication data of the supplicant.
2. The switch sends authentication package for openNAC Core. Then openNAC executes the authentication and authorization process, answering the switrch if the host has allowed access and, in addition, the corresponding vlan defined in the policy.
3. Switch fixes the port in the vlan received by openNAC.
4. The host ask for DHCP and continues with the normal process of accessing the network.

3. DASHBOARD (How do we display the information?)

For each BYOD authenticated device that connects to the network, openNAC displays the following information.

4. DEPLOYMENT (Do it yourself)

The following is a light guide to deploy BYOD based on basic lab.

Basic LAB deployment

4.1 REQUIREMENTS

1. openNAC Core.
2. Network device 802.1x (switch, ap..) in the following scenario will be used Cisco switch with IOS 12.2.55 or higher.
3. openNAC Analytics.
4. Client PC, in the following scenario will be used Windows 10.
5. User Database as LDAP, AD server or local user database in openNAC core, when is using supplicant users, with MAB users database is no needed.
6. Deploy UNAC use case

4.2 SCENARIO ARCHITECTURE

1. The client is connected to switch and start the process for network access
2. The switch send an authentication request to host
3. The host send the response with user credentials, in this case we are using an AD server as a user credentials repository
4. The switch send the radius access request to ON Core.
5. ON Core re-send the access request to AD Server
6. AD Server response with a radius access challenge to ON Core
7. ON Core re-send the challenge to Switch
8. The Switch send a EAP-Request to host
9. The host send an EAP-Response to Switch

4.3 SETTINGS

On Core

Before configure the policy rule enable Discover and Openports plugins. For visibility propose, openNAC use a plugin knows as Discover, this plugin runs a “scan” over each endpoint which can reach trough IP address. So the first step is enable the plugin.

Go to Configuration –> Configuration vars, select plugin tab and enable Discover plugin.

Policy Configuration

• Create a new policy in ON NAC –> Policies –> Add new.

• Select a DataBase such LDAP where the user will be authenticated.

• Select the “Supplicant User” in sources preconditions.

• Select the VLAN to assing.

• For more info of the device select the openports and discover plungins, and activate autolearn option.

4.4 TESTING

Go to ON NAC –> Business Profiles –> Default View. In this section you can see in real time the access from endpoints. Also administrators can check graphic output of business profiles Analytics –> openNAC –> User Devices

If there’s a business profile associate to BYOD policy the output should be available here.

Is important to capture the IP address, using it openNAC will run the plugin over each know asset which match with the previous configured policy.

4.5 TROUBLESHOOTING

1. Please perform a basic review Basic Check
2. To perform a debug of authentication proces you can verify the link Radius Troubleshooting