BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Transcription

1

2 BYOD: Management and Control for the Use and Provisioning of Mobile Devices Imran Bashir Technical Marketing Engineer

3 BYOD: Management and Control for the Use and Provisioning of Mobile Devices -- 3: A Imran Bashir Technical Marketing Engineer Session Repeated on 8: 30 AM -- Room 209C 2:30 Room 209C

4 Introduction and the THE PROBLEM Sample BYOD Policies Device Identification/ Fingerprinting Introduction to the Cisco BYOD + User Experience Introduction to Secure Group Access (SGA) 4

5 Access Today END USER EXPECTATIONS Over 15 Billion devices by 2015, with average worker with 3 devices New workspace: anywhere, anytime 71% Next Gen Y workforce do not obey policies 60% will download sensitive data on personal device IT TRENDS 50% workloads are virtualized to increase efficiency 2/3 of workloads will be in the cloud by % of the world s mobile data traffic will be video in 2016 Mobile malware has doubled (2010 to 2011) REDUCE SECURITY RISK IMPROVE END USER PRODUCTIVITY INCREASE OPERATIONAL EFFICIENCIES 5

6 Policy Access Control BYOD Challenge: Support BYOD without increasing IT operational cost Zero-touch portal automates device registration, application containerization, device posture Improved productivity, lower cost, added security Secure Access Control Connecting Things Challenge: Identifying what is on the network Device fingerprinting (identifying things ), posture analysis, Device visibility (profiling), posture, contextual control, AAA Challenge: Ensure consistent E2E policy that is topology independent Consistent Network-wide Policy Control Cisco TrustSec and policy management Differentiated access control TECHNOLOGY UTILITY ENERGY HEALTHCARE HIGHER ED SECONDARY ED 6

7 Meet Cisco ISE Identity Services Engine for Centralized Control Gartner 2013 NAC MQ Policy Management Solution Unified Network Access Control Turn-key BYOD Solution 1st System-wide Solution Deep network integration System-wide Policy Control from One Screen Award Winning Product 12 Cisco Pioneer Award Over 400 Trained and Trusted ATP Partners Over 1,000 Wins Year 1 7

8 ISE Use Cases SECURE ACCESS ON WIRED, WIRELESS & VPN Control with one policy across wired, wireless & remote infrastructure BYOD Users get safely on the internet fast and easy GUEST ACCESS It s easy to provide guests limited time and resource access TRUSTSEC NETWORK POLICY Rules written in business terms controls access 8

9 BYOD Bring Your Own Device 9

10 What Makes a BYOD Policy? Machine Auth Approach Use EAP-TLS with ADissued non-exportable user certificates. Corp Certificate? in WhiteList? in AD Group? Access-Accept Access-Reject 10

11 What Makes a BYOD Policy? VDx Approach ONLY corporate devices have access to corporate network. Personal devices get RDP/ICA access to a VDI farm. MAC Address Lookup to AD/LDAP Profiling Posture Machine Certificates Non-Exportable User Certificate Machine Auth w/ PEAP- MSCHAPv2 EAP-Chaining Corporate Device? Access-Accept Limited-Access VDI Farm 11

12 What makes a BYOD policy? Sample Complete BYOD Policy Employee Guest Access-Reject i-device Access-Accept Registered? MAC Address Lookup to AD/LDAP Profiling Posture Machine Certificates Non-Exportable User Certificate Machine Auth w/ PEAP-MSCHAPv2 EAP-Chaining Internet Only 12

13 What is Profiling? Classifies based on Device fingerprint NMAP NetFlow HTTP SNMP DHCP LLDP Radius Classification Collection 13

14 ISE Profiler Collection Profiling Probes OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP Classification ID Group Assignment The Network Internet ONLY Video VLAN Voice VLAN Printer VLAN More. ISE Apply Policies 14

15 Collection: Getting traffic to ISE: HTTP via URL Redirection PSN User-Agent is an HTTP request header that is sent from Web Browsers to Web Servers. The User-Agent includes Application, Vendor and OS information that can be used in profiling endpoints. User-Agent attributes can be collected from Web browser sessions redirected to ISE for existing services such as: - Central Web Auth (CWA), - Device Registration WebAuth (DRW) - Native Supplicant Provisioning (NSP) Endpoint Redirection (TCP/8443) 15

16 Collection: Getting traffic to Probes: DHCP via IP Helper DHCP-REQ PSN Great and simple method of getting DHCP traffic to ISE Requires configuration of NADs to relay DHCP packets to ISE. DHCP probe in ISE will collect DHCP data to use in profiling policy For WLCs disable DHCP proxy Configuration Commands: Interface Vlan50 Ip address ip helper-address Ip helper-address (For ISE) 16

17 Collection: Getting traffic to Probes: IOS Sensor Wired DHCP, CDP, LLDP Using Radius - WLC PSN HTTP & DHCP Using Radius PSN Aggregate and forward profiling information over existing RADIUS traffic between NAD and ISE IOS switches collect DHCP, LLDP and CDP data. Data sent to ISE as cisco-av-pair using RADIUS accounting updates. Wireless - Supported on IOS 15.0(1)SE1 for Cat 3K - Supported on IOS 15.1(1)SG for Cat 4K Configuration Commands: device-sensor accounting device-sensor notify all-changes 17

18 Canned profile Built in to ISE 18

19 Profiler Feed Service Zero Day availability PSN Cisco PSN Feed Server DB Partner Notifications Supported No need to wait for new ISE version Zero day support for popular endpoints is added using Feed Server 19

20 Logical Profiling IP-Phones ios-devices Would like to group all my Smart phones and ios devices into a logical profile to facilitate writing policy 20

21 BYOD Spectrum Where are you on this BYOD spectrum? Managed User Managed Device Environment requires tight controls Managed User Un-Managed Device Basic services and easy access for everyone Managed User Un-Managed Device + Secure Register, configure connectivity Managed User + Un-Managed Device + Secure + Compliance Company s native applications, new services, and full control Company s only device Block or Allow Internet Access Securely enabling the device Device Identification, Certificates, Tracking Compliance Encryption enable, PIN Lock, Jail-broken 21

22 What does ISE offer? Putting the End User in Control Blacklisting & re-instating of devices Certificate Provisioning Multiple Device Support Self Registration Multiple Network Topologies Reduced Burden on IT Staff Device On-Boarding Self Registration Supplicant Provisioning Certificate Provisioning Self Service Model mydevice Portal for registration Guest Sponsorship Portal Device Black Listing User initiated control their devices, black-listing, re-instate device, etc) Support for: ios (post 4.x) MAC OSX (10.6, 10.7) Android (2.2 and onward) Windows (XP, Vista, win7k) 22

23 BYOD Flow Use Case: Single SSID User connects to Secure SSID PEAP: Username/Password Redirected to Provisioning Portal Personal Asset BYOD-Secure User registers device Downloads Certificate Downloads Supplicant Config User reconnects using EAP-TLS Access Point Wireless LAN Controller ISE AD/LDAP 23

24 BYOD Flow Use Case: Dual SSID User connects to Open SSID Redirected to WebAuth portal User enters employee or guest credentials Personal Asset BYOD-Secure BYOD-Open Guest signs AUP and gets Guest access Employee registers device Downloads Certificate Downloads Supplicant Config Access Point Wireless LAN Controller Employee reconnects using EAP- TLS ISE AD/LDAP 24

25 Setting-up BYOD Authentication Policy Single SSID Dual SSID Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Posture Profiling 25

26 MAB, redirect, why? 00.0a.95.7f.de.06 Authenticator RADIUS Server EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity Time until endpoint sends first packet after IEEE 802.1X timeout IEEE 802.1X Times Out MAB Starts Unknown MAC address Any Packet Limited Network Access RADIUS Access-Request [AVP: 00.0a.95.7f.de.06] RADIUS Access-Accept 26

27 BYOD AuthN Policy CWA and 802.1X Use Cases MAB ID store set to Continue if fail lookup Dot1X ID store sequence includes Certificate Authentication Profile 27

28 Setting-up BYOD Authorization Policy Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Profiling Posture 28

29 Authorization Profiles for BYOD Single SSID: 802.1X Redirect to NSP Example Redirect ACL must be defined on WLC dacl only applies to wired users. Airespace ACL not required for URL redirected (Web Auth state) on WLC. 29

30 Authorization Profiles for BYOD Dual SSID: CWA Redirect to NSP Example Redirect ACL must be defined on WLC Web Portal with NSP enabled for Network Access Users 30

31 Authorization Profiles for BYOD Redirect Android Devices to NSP Permit Google Play Access Example Redirect ACL must be defined on WLC ACLs permit access to Google Play Actual networks may change over time and by location. Alternatives: 1) Permit all Internet access and deny internal access 2) Deploy upstream device capable of domain-based ACLs. For example, WLC SXP to ASA SGFW. 31

32 BYOD AuthZ Policy Single SSID Employee using PEAP Rule Name Conditions Permissions 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Matched Rule = PEAP Redirect to Supplicant Provisioning GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee PSN SSID = CORP Employee RADIUS Access-Request PEAP MSHACPv2 EAP-ID = Employee1 RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=agent-redirect [cisco-av-pair] = url-redirect = p 32

33 BYOD AuthZ Policy Dual SSID Employee using CWA 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Matched Rule = Open Rule Send HTTP traffic to CWA Portal. Rule Name Conditions Permissions GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee PSN SSID = GUEST Employee RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=agent-redirect [cisco-av-pair] = url-redirect = onidvalue&action=cwa 33

34 BYOD AuthZ Policy Dual SSID Employee using CWA 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Employee Authentication Succeeded... Rule Name Conditions Permissions GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee PSN User!= Guest SSID = GUEST Employee RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=agent-redirect [cisco-av-pair] = url-redirect = onidvalue&action=cwa Start Self-Provisioning Flow 34

35 BYOD AuthZ Policy Dual SSID Guest using CWA 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Guest Authentication Succeeded... Send CoA Rule Name Conditions Permissions GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee PSN User = Guest SSID = GUEST GUEST Change of Authorization Request CoA ACK/NAK RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept Bypass Self-Provisioning Flow 35

36 BYOD AuthZ Policy Dual SSID Select Employees using CWA 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Matched Rule = Open Rule Send HTTP traffic to CWA Portal... Rule Name Conditions Permissions GUEST EmpWebAuth Open Rule PEAP Employee i f i f i f i f i f GUEST then GUEST Employee & Guest-Flow then Supp-Provision Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee PSN SSID = GUEST RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept Employee [cisco-av-pair] = url-redirect-acl=agent-redirect [cisco-av-pair] = url-redirect = onidvalue&action=cwa 36

37 BYOD AuthZ Policy Dual SSID Select Employees using CWA Rule Name Conditions Permissions 1. Any PEAP authentications: Send directly to Native Supplicant Provisioning. 2. Add CWA to Open SSID Need to know who they are, and IF we should provision them. Employee Authentication Succeeded Send CoA Start Native Supplicant Provisioning GUEST EmpWebAuth Open Rule PEAP Employee i f i f i f i f i f GUEST then GUEST Employee & Guest-Flow then Supp-Provision Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee SSID = GUEST Change of Authorization Request PSN User!= Guest Self-Provisioning Flow Disabled; Continue normal CWA processing CoA ACK/NAK Employee RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ] RADIUS Access-Accept [cisco-av-pair] = url-redirect-acl=acl=nsp-acl [cisco-av-pair] nidvalue&action=nsp 37

38 Setting-up BYOD Client Provisioning Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Profiling Posture 38

39 Client Provisioning Resources Supplicant Provisioning Wizards Policy > Policy Elements > Results > Client Provisioning > Resources Both Windows and MacOS require Supplicant Provisioning Wizards Android devices must download application from Google Marketplace ios devices leverage Apple Over The Air (OTA) updates All Oses require a Native Supplicant Profile 39

40 Client Provisioning Resources Native Supplicant Profile Policy > Policy Elements > Results > Client Provisioning > Resources Wired, Wireless or Both Optional Settings for Windows clients if PEAP protocol selected Specify SSID WPA or WPA2 TLS or PEAP or EAP-FAST 40

41 Client Provisioning Policy Policy > Client Provisioning OS User Supplicant 41

42 Setting-up BYOD SCEP Configuration Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Profiling Posture 42

43 ISE BYOD Certificate Configuration SCEP Enrollment Profile and CA Certificate Import Administration > System > Certificates > SCEP CA Profiles The SCEP server certificate and CA and RA (registration authority) certificates of the certificate chain for the SCEP server are Administration > System > Certificates > Certificate Store automatically retrieved into ISE trust store. 43

44 Setting-up BYOD Sample Policy Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Profiling Posture 44

45 BYOD AuthZ Policy Post-Supplicant Provisioning Rule Name Conditions Permissions 1. Trigger Native Supplicant Provisioning PEAP-MSCHAPv2 (Single SSID) CWA to Open SSID (Dual SSID) 2. Reconnect using EAP-TLS Matched Rule = PEAP GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee Redirect to Supplicant Provisioning PSN SSID = CORP RADIUS Access-Request PEAP MSHACPv2 EAP-ID = Employee1 RADIUS Access-Accept Employee [cisco-av-pair] = url-redirect-acl=agent-redirect [cisco-av-pair] = urlredirect= =SessionIdValue&action=nsp 45

46 BYOD AuthZ Policy Post-Supplicant Provisioning Rule Name Conditions Permissions 1. Trigger Native Supplicant Provisioning PEAP-MSCHAPv2 (Single SSID) CWA to Open SSID (Dual SSID) 2. Reconnect using EAP-TLS Suppliant Provisioning Completes GUEST Open Rule PEAP Employee i f i f i f i f GUEST then GUEST Wireless_MAB then WEBAUTH Network Access:EapTunnel EQUALS PEAP Employee & EAP-TLS & Certificate SAN = MAC_Addr then then Default If no matches, then Deny Access Supp-Provision Employee Send CoA (Session Terminate) PSN SSID = CORP NATIVE SUPPLICANT PROVISIONING RADIUS Access-Request EAP-TLS - CN = Employee1 Employee Change of Authorization Request RADIUS Access-Accept CoA ACK/NAK 46

47 BYOD Authorization Policy Pulling it All Together Fully registered and provisioned BYOD employee Condition Session:Device-OS used to match on Android devices Use one rule or other NSP_CWA used to redirect specific network access users; CWA_NSP Redirect redirects to NSP all NA users. with Google Play access Redirect Employees running 802.1X PEAP to NSP on SSID=BYOD-802.1X Redirect Employees running CWA to NSP on SSID=BYOD-Open Redirect to CWA guest portal with NSP flow enabled 47

48 ISE BYOD on-boarding Demo

49 49

50 Setting-up BYOD Posture Sample Policy SCEP Config Authentication Policy Client Provisioning Authorization Profile, Policy Posture Profiling 50

51 But What About MDM? The New Way Best Practice Today ISE 1.2 ISE Device Access Control Device Profiling BYOD On-boarding Device Access Control MDM Mobile Devices Security Control Device Compliance Mobile Application Management Securing Data at Rest ISE and MDM Enforced Mobile Device Compliance Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy MDM cannot see non-registered devices to enforce device security but the network can! Version: 6.2 Version: 7.1 Version: 5.0 Version: 2.3 MDM: Mobile Device Manager 51

52 ISE 1.2 and MDM Integration MDM device registration via ISE o Non registered clients redirected to MDM registration page Restricted access o Non compliant clients will be given restricted access based on policy Endpoint MDM agent o o Compliance Device applications check Device Action from ISE Device stolen -> wipe data on client Survivability: New Attribute added 52

53 MDM Compliance Checking Survivability Attribute ISE can Query MDM Server using API s Compliance based on: General Compliant or! Compliant status OR Disk encryption enabled Pin lock enabled Jail broken status Micro level MDM attributes available for policy conditions Passive Reassessment : Bulk recheck against the MDM server using configurable timer. If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session. Macro level 53

54 MDM Integration flow Registered? MyDevices ISE BYOD Registration Internet Only MDM Register ISE Portal Link to MDM Onboarding MDM Compliant ISE Portal for MDM non-compliance Access-Accept 54

55 MDM Authorization Policy Rules Registration and Compliance ISE Registered MDM Registered Encryption PIN Locked Jail Broken Jail Broken PIN Locked 55

56 MDM Integration Ability for administrator and user in ISE to issue remote actions on the device through the MDM server (eg: remote wiping the device) MyDevices Portal Endpoints Directory in ISE Options Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock 56

57 ISE and MobileIron MDM Integration

58 58

59 ISE and Airwatch MDM Integration

60 60

61 ISE and Good s Technology MDM Integration

62 62

63 ISE and Zenprise MDM Integration

64 64

65 MDM Configuration ADD MDM Server Authorization Profile, Authorization Policy

66 MDM Connection Screen Adding MDM Server to ISE Must first add MDM Server certificate (signing CA cert) to ISE CA certificate trust store Instance Name: Currently used by Zenprise only. This field is for multi-tenant MDMs 66

67 MDM Onboarding Authorization Profile Same MDM Redirect used for both: Registration with MDM Server Compliance and Remediation with MDM Server policy Redirect ACL must allow access to MDM Server and remediation resources Remediation may include access to Apple App Store and Google Play (Android) to access MDM agents MDM Redirect is a Common Task under Web Redirection 67

68 Sample Authorization Policy If Employee but not registered with ISE, (Endpoints: BYODRegistration EQUALS No), then start NSP flow If Employee and registered with ISE (Endpoints: BYODRegistration EQUALS 2013 Yes), Cisco and/or then its affiliates. start All rights MDM reserved. flow 68

69 Tracking Devices by User and Registration Status Administration > Identity Management > Identities > Endpoints 69

70 Reporting Mobile Device Management Report 70

71 Fast SSID Change WLC Configuration Problem Statement: Unable to join another network while connected to one Occurs when quickly switching between SSIDs, such as with BYOD in a Dual SSID network Solution: Enable Fast SSID Change on the WLC (Controller > General > Fast SSID Change ) Note: [CSCub00341] Fast SSID Change can bypass NAC Radius when switching SSIDs * Fixed in WLC 7.3 and

72 URL Redirection Considerations Apple Captive Network Assistant (CNA) Problem Statement: URL redirection on Apple devices may fail due to Apple CNA. Background on CNA: Apple ios feature to facilitate network access when captive portals present that requires login by automatically opening web browser in a controlled window. Feature attempts to detect the presence of captive portal by sending a web request upon WiFi connectivity to If response received, then Internet access assumed and no further interaction If no response received, Internet access is assumed to be blocked by captive portal and CNA auto-launches browser to requests portal login in a controlled window. Solutions: 1. Disable Auto-Login under WLAN settings (requires user knowledge and interaction) 2. Configure WLC to bypass CNA: > config network web-auth captive-bypass enable Command available in WLC 7.2: 72

73 Client Provisioning Resources Register Device Only Option (No Supplicant Provisioning) Administration > System > Settings > Client Provisioning If no matching Native Supplicant Provisioning policy for device, then continue with regular flow. 73

74 SGA Secure Group Access SOURCE DESTINATION VLAN VLAN Wired Wireless VPN VLAN VLAN 74

75 Policy and Segmentation Design needs to be replicated for floors, buildings, offices, and other facilities. Cost could be extremely high ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static Filtering Access Layer Quarantine Voice Data Suppliers Guest Simple More Policies Segmentation using more with 2 VLANs 75

76 Segmentation with Security Group Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Aggregation Layer Data Center Firewall Data Tag Supplier Tag Guest Tag Quarantine Tag Access Layer Voice Data Suppliers Guest Quarantine Retaining initial VLAN/Subnet Design 76

77 Secure BYOD: After on-boarding with SGT Segmentation using Security Group, independent from topology DC-PCI-DB BYOD Tag POS Tag Audit Tag Offload filtering to ASA for rich and scalable policy rule automation Source Destination Action IP Sec Group IP Sec Group Service Action DC-PCI-Web Local PCI Server Simplified network design, lowering Any Payment System Any DC-PCI-Web, Local PCI Server operational cost Campus WLAN BYOD Device Any Internet HTTP Allow HTTPS Allow Any Audit Any DC-PCI-DB TCP Allow Any Any Any Any Any Deny SGACL/FW Device WLC VLAN Internet ISE Single VLAN CAPWAP Tunnel BYOD Device Payment System Audit 77

78 ASASM / ASA55xx SG-based Firewalling SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination resources Trigger IPS/CX based on SGT Use Network Object (Host, Range, Network (subnet), or FQDN) 78

79 Key Takeaways The Key Takeaways of this presentation were: ISE provides consistent policy for Wired, Wireless and VPN Use cases that ISE addresses are Secure Access BYOD Guest Secure Group Access 79

80 BYOD Configuration Resources For Your Reference BYOD Deployment Guides posted to Design Zone on Cisco.com: BYOD: Using Certificates for Differentiated Access (PDF - 4 MB) BYOD: On-Boarding and Provisioning (PDF - 4 MB) MDM Deployment Guides (Coming soon!) 80

81 Support Resources ISE Product - TrustSec - TrustSec Design and How-To Guides: ISE Demos dcloud BYOD Hosted Demos Free NFR Lab Software for Partners (1.1.1 Available) Cisco Marketplace - $35 VMware image, perpetual license, 20 endpoints PDI Helpdesk - Webpage: Program-related questions: pdihd-bn@cisco.com Your Cisco PDM and CSE 81

82 Additional Resources

83 More Resources ISE / TrustSec How-To Guides: ne_trustsec.html 83

84