Introducing Juniper Mist Access Assurance (NAC)

0:10 exactly about a year ago we came and talked about iot Assurance One of the

0:15 solutions that allows you to do Cloud scale ppsk with unmatched visibility key life cycle management policy traffic

0:22 engineering at that time we also showed you a very sneak preview of what we were building

0:28 up to and I'm really super stoked and excited to be here uh to launch the

0:33 missed access Assurance solution as you heard from Tom uh it came about from the

0:39 white sand acquisition that Juniper did back in 2021 but last year we said we were going to be intentional about

0:46 integrating it the right way do it the right way and I'm happy to be here

0:52 saying that we have actually done it accomplished it I'm going to turn it over to Slava Slava has been one of the

0:58 product Champions and and uh and a lead on the product team uh that has carried

1:03 that Vision forward up until up until this stage and I'm going to be slava's able-bodied assistant for the next 45

1:10 minutes so take it away Slava so I'm Solomon part of the junior premise

1:15 product management team and today we're going to talk about Knack before we will start talking about hack we will

1:22 actually talk about some history and what you'll see is the time chart and we will talk about how Knack evolved over

1:29 in the past well almost 20 years and how at the same time different Mac use cases

1:34 have evolved right that's going to be important for uh you know how we got here moment basically so if we started

1:42 the early 2000s back then uh you know we only had corporate access use cases and

1:47 you see a laptop there but it's actually not a laptop it's supposed to be a workstation that we used to plug in uh

1:53 you know you know a wired word and back in the day back in the day Cisco ACS was

1:58 number one product right that was the AAA server that started all the way from authenticating dial-up modem users but

2:05 then when we look at 2007 we see iPhone introduction and then people started to

2:11 you know to want to get is guess what I buy access at the same time we see additional products coming out from

2:18 Cisco back in the day like not guess not profiler we see a mega pod doing the same thing to address that just access

2:25 use case to solve an intent we have BYOD we have iPad introduction at that time

2:31 people realize that oh actually we can bring our personal devices to work and to attend that we are working so byd use

2:38 case at this point we see Aruba acquires a megapodon event in the the guest

2:44 access byd solution and profiling solution and takes it over now 2011 this

2:51 is where you know there was an idea okay why don't we combine all these multiple

2:57 Standalone Solutions into one well welcome to Cisco ice in 20 2011 and

3:03 followed by clearpass in 2012 doing the exact same thing just combining the mega

3:08 bottle render and another double X service what we then see is around that same

3:15 time you see a new track we see a very slow start of cloud-based identity

3:20 Services right we see the emerging of azure ad and an OCTA Cloud directory of

3:27 services that's slow style but this is when it started and later on we see in

3:32 2015-ish we see the explosion of iot devices right but what we see at the top

3:40 really we see a lot of upgrades a lot of lots of features being added to the existing

3:45 products but fundamentally architecturally we don't see a lot of a change so that leaves us in here right

3:53 so this is where we are if you look at the left hand side you see that at

3:59 typical AAA server that you see today it over time the features have been added

4:05 uh all the integration have Integrations have been built on and they're all part

4:10 of the same monolithic single server architecture right so back scripting

4:16 feature dependencies grow it becomes harder and harder to maintain this within the same server if you then look

4:23 at the right hand side this is a typical Mac deployment at any scale you need to

4:29 deploy multiple server appliances or VMS that would do the heavy lifting the

4:34 offended education you'll need to have some clustering on top to manage the whole deployment and today this is

4:42 actually a customer problem to solve it's a design for redundancy for scale

4:47 or high availability and if you have you know a global

4:52 deployment with different Geo regions you need to think about latency you need to think about all of that

4:58 plus what about picture upgrades software patches security patches right

5:04 today that's a that's a typical uh Challenge and typical problem in an

5:10 active plan right and with all that today next Solutions are

5:17 alien to the network right they're an overlay Solutions most of the time there

5:22 is nothing that that exists within the network and then I've that could merge the Two Worlds together

5:28 so what do we do we will mystify an act

5:35 so we are solving all of these challenging challenges right we are

5:41 replacing that with Ms access Assurance service that is integral part of the

5:47 Miss Club it's native to the Miss Cloud it's tightly integrated into the network

5:52 and network operations it's microservices based it's Geo aware

5:58 and you know everything that you knew and loved about the Miss cloud is now extended to authentication Service that

6:05 we are that we're launching today let's actually go and take a look at the

6:11 demo switch to our demo it's

6:17 full screen now I said it's natively integrated into the

6:23 best cloud so voila what we have here is you see Wireless

6:29 you have wired and sd1 network operations we're now adding access

6:34 Assurance as a new service to actually happen full stack network operations you're

6:40 adding NAC and AAA Services right within that same Cloud interface now how do we how do we

6:50 configure it how do we use it one of the challenges we've seen traditionally with any existing

6:57 authentication Service is the complexity associated with configuration complexity

7:04 associated with a deployment typically that means you need to have an expert on the team that that understands all the

7:11 various vendors of radius how to integrate this with you know external identity sources all of that now all we

7:18 are doing is we're simplifying this into an authentication policy Builder that

7:25 gives you the flexibility but allows you to actually understand what you're doing

7:31 and allows you to read what you've done if you come back to this a year from now so what we're doing here is

7:38 on the left hand side we are matching on certain criteria and certain conditions so we're trying to identify what type of

7:45 device what type of user is trying to connect to our Network for example let's take a look at rule number seven we're

7:52 looking if it's a wireless user if the client is using CLS or certificate-based

7:57 authentication to connect if the certificate of that client is either issued by Juniper or another C

8:05 that we've specified here and that user is part of employee group in the

8:10 identity provider if all of these conditions match then we move to the right hand side and we're saying okay

8:16 what do we want to do with them we want to allow them on the network great we also want to move them to a specific

8:22 VLAN right that would be every line with a name that could also be a GBP tag if

8:29 you want to do a micro segmentation on top of that and we can assign a role right to apply a policy later on so

8:36 everything that you see here is driven from that one uh one screen how do you

8:43 assign those conditions is so we have a concept of labels that you could select

8:49 from the labels that you've already created before or you could create a label right from here for example you

8:56 may want to look at a specific Direct tree attribute maybe you just want to look at Finance users right so you could

9:04 select the label type directory attributes that group and just say I'm looking for

9:09 anything that matches Finance group that's it then you will go and select it

9:15 right from here easy now that's all great so how do we turn

9:22 this on for say our wireless network how we turn it on for

9:28 8.1 xssid so if we move over to a wireless template typically when you're

9:35 looking at configuring a DOT 1X subsidy you you need to go to your

9:41 authentication server so you need to add each and every radio server one by one

9:47 configure the right shared secret add each and every AP is the radius client that's tedious work

9:53 it's creating a lot of issues a lot of mismatches lots of you know customer

10:00 complaints and customer tickets what do we do with our service well we select based authentication Service

10:06 that's it it automatically programs all the EPS it automatically tells them how to reach

10:13 the authentication Service and that authentication will always be geoware so

10:18 you know depending on where the aps are they will always hit the uh the local authentication Service model okay

10:26 but second issue now

10:31 what about visibility so one of the things for us and when we say

10:39 you know we're launching and integrated uh clouds authentication Service into

10:46 the network we also want to have integrative experience when it comes to visibility so when we look at the client

10:52 insights we want to see okay how do you validate that the user is actually able to

10:59 authenticate or authorize and get on the network and be able to pass traffic

11:05 I don't want to jump between 10 different products 10 different screens I don't want to look at logs in this

11:11 place that place to find that out I want to look at a history of a specific user

11:17 connectivity experience and take a look at what's happening well what we've done is we've extended our wine insights our

11:25 the you know event stream that we've already had to so our access Assurance service so what

11:32 we are doing here is okay we are looking at all the historical connection stages

11:38 the client went through so client in this case it's using certificate to authenticate presenting its certificate

11:43 then it trusts the server certificate but then we are doing an IDP lookup in

11:48 this case we are using OCTA we're directly talking to OCTA to patch the user group membership information we

11:54 want to make sure that the user account is still valid all of these things right so we're getting all the roles from from

12:00 OCTA for this given user finally we're saying this client is allowed access to

12:07 our Network we're assigning a specific V1 we're assigning a role that we can

12:12 later on apply as a policy and then you can also validate all the uh all the

12:19 next stages of connection as the client actually goes onto the network gets the AP from the right from the right VLAN as

12:26 assigned by the Knack and is able to pass traffic right all everything in one

12:31 place but what you also see here is oh in this wine allowed access event I see

12:37 this all pro so if I click on it we're actually telling you okay this particular user

12:44 hit this specific authentication policy okay

12:50 so this is how we can uh we can integrate this event speaker

12:57 okay so you say that's that's all nice but you know things are working fine

13:02 what if things are not working quite as expected so

13:07 historically if we look at just you know events and data that we're

13:12 Gathering From what the peak can see on on the wireless side or what switch can see on the wired side if decline is

13:20 failing that when X authorization well we're saying we got the reject so we got it out of my

13:25 and then since we never control the other side we we had limited visibility

13:31 into that uh into that piece now with access Assurance under our control we

13:38 have the full picture right in this case we are actually seeing the client is failing to authorize because the client

13:44 doesn't have the server certificate that's it right this is our Stop Shop we're saying this particular user is

13:51 having a problem because it doesn't trust the server Circle go and fix the client configuration done

13:59 okay you would say that's all good but I don't want to go through all the events

14:05 and scroll through them and to find out what's what what was the issue it's fine let's go and maybe talk to

14:13 Marvis maybe let's try and find out you know is there a simpler way to troubleshoot

14:19 issues right so what we could do is we could try asking my list what was the

14:25 issue with say Slava oh last Thursday

14:33 okay oh there we go so immediately uh Marvis

14:40 went through all of the data we have it found the specific user that matches

14:46 specific username it went through all the events all the raw data that it showed us previously and now it can give

14:53 you an answer okay that particular client it had an authorization issues because

14:59 of the client sir that was that was expired at that time that's it

15:06 okay and obviously since we know we're

15:11 troubleshooting this on a per user basis the next logical step is how do we

15:16 expand this into marvelous actions how do we uh how do we troubleshoot things

15:22 at scale how do we find issues that are affecting groups of users how to how do

15:28 we find issues that are affecting maybe uh as a specific site or maybe you just

15:34 something as simple as let's find some persistently failing clients let's find

15:39 some top offenders that are continuously hitting our network with authentication requests and they're continuously failing so in this case we can just say

15:47 Okay this particular client is trying to uh trying to authenticate to to a

15:54 network all the time and it's continuously failing you know please please go and check or if you haven't

16:01 you know authentication failure at scale my resection will be able to grab this grab this where you find out and

16:08 highlight where you need to look at me so um Slava Raymond here I have several

16:13 peeping asking for uh on from the online community asking how about the integration or compatibility with eduro

16:23 at your own is work in progress we are you know we are we are planning to we

16:29 are planning to support the Jerome as of today we're still we're still

16:34 working on that so most likely by most likely by end of the year

16:41 excellent um uh Slava my questions are revolving around just the functionality

16:46 of putting Mac and radius into the cloud historically speaking that's been uh challenges around latency and then uh

16:53 availability in the event of an Internet failure how are you solving those problems

16:58 so there are two things there one is I'll I'll start from the latency or

17:04 first so we build a geoware service that means that if you let's say you have

17:10 sites in Europe and United States on East Coast and West Coast the aps from each Geo region will be

17:19 automatically redirected to the nearest authentication Service Port that we have

17:24 deployed right that that process is automatic this way you get the uh the best the

17:31 best latency actually the least the least latency when it comes to authentication yeah uh that's number one

17:37 that that also that also is true in case of let's say something happens to a

17:43 specific uh you know authentication Service Cloud say in uh United States on

17:50 the East Coast there is always another one to fail over to right so we are definitely taking this very very serious

17:56 from uh from a perspective that this is a mission critical service right because this is not that for example your AP is

18:04 not connected to the cloud well you're just losing management this is right in in the client data path right we we want

18:11 to make this right this is where the the architecture is very important well so I guess so I guess let's just

18:18 get right down to it right I've got a site that's on a crappy internet connection that has a 300 millisecond latency out to the internet how on Earth

18:25 are you going to expect them to authenticate in a reasonable amount of time if your radio services are on the other side of that connection do you do

18:31 any proxying on site do you know any caching do you do any anything at all to make that burden foreign

18:40 right now we are relying on the fact that we have Global we will have Global

18:45 presence right so we will uh have the uh the closest Sport near to you if you

18:51 have a crappy internet connection uh Define crappy right and like nowadays

18:58 we talked to when we talk to customers some of them have like three to five to

19:03 seven redundant internet connections internet connection is not one right because that's also the historical uh

19:10 historical thing when when you talk about radio specifically um latency people were thinking when

19:17 like npls and things like that because it sending this over to the data center in our case this is pure pure infinite

19:25 traffic the the other thing is our transport our authentication is done using redsec

19:33 so we are not we are not suffering from any uh MTU issues loss issues because

19:38 it's so it's all TC based rate we we control that that link and

19:44 so let's play that answers answer some of it okay thank you

19:53 is there another certificate uh you have to deploy down to the clients to trust your British environment

20:00 so uh by default we will use our own certificate that's signed by your uh

20:06 work like missed organization CA if you would like us to present your uh your

20:13 your certificate to to the client so you can import your custom server cert into

20:19 into the dashboard we'll just present that

20:24 the options and just to piggyback off Sam there's no

20:30 um way to have the access point in the event of an Internet failure or the access point just fail open or just kind

20:36 of accept all connections or kind of handle that but uh in in the in case of

20:44 Wireless there is no mechanism of fail open on that one actually unfortunately right unless you you host the radio

20:50 server somewhere uh so the answer is no so when when there is a loss of internet

20:56 connectivity the currently connected Appliance will stay connected and the clients that are roaming they will keep

21:02 roaming that's not changing only the new new connections would uh would be affected

21:08 at that point in case of the wired switching right in case of the wired

21:13 device is obviously there is a bail open out logic because you know wired allows us to do that there is also caching

21:21 caching option on the switch that you will you will be able to do but fail open is there

21:27 So currently the it's the first implement the first phase is this is just Wireless right wire is not here is

21:33 that correct but if wired is there why is there it should have actually showed

21:39 showed this so wired how do you think we configure wire points well you go to the

21:46 switch template and voila your authentication server is missed authentication same as with the uh well

21:52 you know uh with the wireless SSID right same thing we support this on the teams

21:59 we support this on uh ex which is that that we manage and then you would go to

22:05 your Port profiles you would create let's say a secure Port profile where you would enable that one accent map

22:12 you assign it so all of your front-facing ports and then at that point uh neck will decide which VLAN to

22:20 assign to to which client and which user based on its identity one more one more question

22:27 um will you offer this as a third-party service to other vendors as

22:32 well to other parties so what we are what we're doing is for

22:39 third-party infrastructure that that we are not managing directly uh we will we

22:46 will Leverage The this stage as the uh as the authentication proxy platform so

22:52 you what you will be able to do is say go to your message enable Miss

22:57 authentication proxy at that point you could Point your existing third-party

23:03 infrastructure to the main statues to your radio server from there mustache will take it over and send it to the

23:08 cloud and for for Authentication okay but that's going to be your your gateway your your you know

23:15 authentication proxy into effort party vendor okay and so follow up on that will there

23:22 be a certification for this as an education in the education path

23:32 oh great question so what we've actually done today I think it's or it must be

23:38 online now we've launched a new access Assurance course on the missed courses you should be able to see it now and it

23:46 should be assigned to everybody uh and yeah at some point definitely we will

23:51 you know we will take a take a look at the actual official certification

23:58 um so back to Sam's Point you're using missed edges as a authentication proxy

24:03 for third party why can't we do that with first party

24:08 that's that's all Sam's complain about about a good weak internet connection

24:14 okay so I'm not gonna you know commit to anything yet let's see so we are we're

24:22 we're looking at this product and we we have to be focused right so first we are

24:28 looking at the architecture we need to solve this architectural problem how to deploy this in the cloud so it scales so

24:36 you know it's it's reliable uh it's a reliable service then we add add features on top of that

24:45 okay and if I may just as a proxy is a proxy if I may just add one more Point

24:51 cover uh to uh to the question is basically uh Juniper switches uh missed

24:57 access points all support redsec natively right so it's fairly simple for us to put the architecture in where we

25:04 need natively terminate red side connections from our infrastructure what do we do for third party some of the

25:10 third party vendors do support red sex some don't that is why we mandatorily uh

25:16 commit to putting in a mistake over time as Slava kind of alluded to Mr stage

25:21 could be a caching proxy as well for all services but right now like to to Sam's

25:27 Point if you really have a flaky van link and like you know if you're if you have a van outage today if you in a

25:34 distributed like you know environment and fraction T1 lines you're really like

25:39 you know deep in the water uh with with with when uh issues in that case like

25:46 you know what would you do your only solution is to put caches like in a cache radio servers on

25:53 site correct in my instance I'm talking about a Dia circuit that's a 50 meg circuit from Charter that has well over

25:59 300 millisecond latency before it even leaves the Charter network I've already picked up about 300 milliseconds so I'm

26:06 not talking about Frac t1s or you know really old stuff ISDN lines right I'm talking about high bandwidth circuits

26:13 that are also High latent uh the only thing I will say now uh Sam is that in

26:18 in some of the pocs we have done uh there have been customers over the ocean

26:24 uh terminating their ad set connections like you know out into our our uh the

26:30 NAC service authentication Service without any perceptible latency uh I'm going to leave it at that and say that

26:36 in the future there might be some Evolution right thanks and and let me add to that so enjoy you

26:44 know we've actually uh we've actually tried this by you know doing uh doing

26:51 authentication from Australia since you know all the way to to the West Coast all the way to the East Coast with the

26:58 almost 400 millisecond DeLay So that authentication happens flawlessly every time I'm not worried about you yeah

27:06 just just you know wisdom uh was the latency part I'm not worried about the authentication happening I'm worried

27:12 about a voice over IP a voice over IP over Wireless client that's roaming from my AP to another AP that needs to go out

27:18 and re-off you know you do a 400 millisecond realm that's just garbage right

27:24 right yeah I agree uh just but you know for for roaming scenarios I think we're

27:31 slowly but surely moving to you know uh to 11 hour cases where you're bypassing

27:38 everything right so you authenticate once and then when you roam you skip you

27:43 skip all of that including poor way for the live thing on the missed Edge

27:49 when you're using as a proxy will that be something separate you or separate licensing method will be the same exact

27:55 pricing what it is right now uh the these Subs this is uh obviously this is

28:01 a service that will require a subscription the subscription will be based on the concurrently uh active

28:08 number of clients that we see over a week period and the only thing we're we are looking

28:13 at is really the number of uh client devices that they use in the authentication Service uh concurrently

28:22 I think some other question is that uh question from Ali is if you are using Mr just a proxy so today uh like you know

28:30 you're going to basically put in a message Appliance or a message container on-prem and uh like you know we offer

28:37 offer the appliance and and the VM uh there is no missed subscription as well

28:43 you did to all you need is the is the active concurrently active client subscription and by the way uh like you

28:49 know when we cover uh Slava is going to show us some progress on iot Assurance

28:54 okay I'm happy to say that it is the exact same subscription that will allow you not only ppsk based client uh device

29:01 onboarding but also now dot One X so everything is getting subsumed under the

29:07 access Assurance umbrella okay I have a quick question regarding the third party idps is it

29:13 fully integrated in the sense that it's leveraging that IDP as as the

29:18 authentication source in other words then it would tie into MFA and other capabilities on that IDP or is it really

29:25 just for User Group assignments things like that so there

29:31 yeah yeah I I got I got a question so so there are two two ways how we can

29:37 leverage idps today one is as I as I showed to get the group information you

29:42 know user account status and all the attributes that come with it the second is to use IDP as a authentication

29:50 provider in that case you would have to use something like iftttls to

29:56 authenticate uh users using their credentials saying that so for example

30:01 this will work with octaves will work with with Azure by authenticating user

30:07 credentials saying that if you look at the you know device OS developments you could see what the

30:14 Microsoft is doing with latest Windows 11 updates and enforcing

30:20 credential guard that actually blocking any form of uh password based authentication on that one X and VPN so

30:28 what we are seeing is it is a trend where everything is moving to certificates only

30:34 it's again it's slow train but it's it's starting to uh to show up but to answer

30:41 your question you could still use idps as authentication sources

30:47 so in terms of the policies how do I put this

30:53 um how stupid can I get because um I've got some policies right now that

30:58 are I have been told are pretty stupid um by uh by the ice consultant that that

31:05 helps me when I get in over my head um for example can I key in on

31:11 very like for example if I I might provision an InTune device with a

31:17 different certificate you know something different in the OU than a jamf managed device so that in my authentication

31:24 policy I can key off of that right these all look pretty simple I'm not seeing anything really like

31:30 I'm digging into fields and certificates and making policy choices based on those decisions

31:36 um is that functionality there so thank you for asking this question

31:41 the functionality is definitely in there so you can create a label again just a

31:46 condition you could look at virtually any certificate attribute you want to look at you can match on let's say a

31:54 subject to say if it's o u x y z then we're going to match on that use that as

32:00 your condition on the left and then apply different policy based on that this is very powerful we've been asked

32:06 about this by actually quite a lot of customers that are issuing different certificate subjects to different types

32:13 of devices or users so yeah definitely good to know that misery loves company

32:21 um I got one last question about this so um as far as my understanding is this is cloud-based directories right like Azure

32:27 OCTA and all that um just curious what if somebody doesn't have that and they only have just a

32:32 local active directories locally deployed certificate based servers and

32:37 all that kind of stuff is there some kind of agent or something again or can we use again miss proxy to somehow integrate the cloud radius with that

32:47 what we see is there are customers who would say I only have a local elective

32:54 directory and I'm using this today with my current radio server right but the

33:00 the next question would be oh what are you doing any single sign-on today and they'll say yeah yeah we have azure

33:06 uh okay hang on a second so you you actually are doing a hybrid Cloud

33:11 deployment model yes you're using your local active directory with your current radio server that's fine but all your

33:16 users are in fact already in azure we don't most of the time we don't need

33:21 to talk to the local ad because there's something in the cloud that's doing that's uh that has all the user records

33:29 uh saying that if you find that fourth case of at this point really like one couple of

33:36 percent of customers that have nothing in the cloud you could still uh you know

33:42 use secure ldap from from our from our Cloud to uh to your local directory to

33:50 to open it up that's that's the the answer I would get

33:57 and forgive me if I'm jumping ahead but um are you going to be able to discuss

34:02 uh Integrations with MDM platforms like you

34:08 know posture checks against an InTune or jamf or currently uh uh actively in progress so

34:18 what we are looking at this uh uh by bi-directional integration into uh MDM

34:24 providers initially there will be InTune and jmf Pro so the the idea is that we will

34:33 constantly communicate with uh with say InTune or or gmf and see if the if the

34:39 client devices the endpoint is in a compliant State uh what What's the

34:45 what's the enrollment status if it's a corporate device or if it's a BYOD device enrolled in the MDM all these

34:51 attributes right based on that you can apply your policies the key thing here is it's a bi-directional integration

34:58 that means that say something changes on the device after it's authenticated right for example somebody uh disables

35:06 firewall or forget forgets to update the antivirus then for example InTune

35:12 detects that this device is out of compliance there is a notification back to uh back to our Cloud at this point

35:19 we'll be able to act and and move the clients into say quarantine or disconnect it all together