Juniper and the Policy of the Future

0:09 very quickly

0:10 if you look at any enterprise right

0:12 there are primarily

0:14 four types of devices

0:16 there is uh your guest device there is

0:19 iot devices

0:21 you have byod users and then your

0:23 corporate users so if you look at like

0:26 you know what we have done as part of

0:28 the miss journey over the last three to

0:31 four years

0:32 we have built like you know probably the

0:35 most comprehensive guest solution and

0:38 yes i put in the word captive portal in

0:40 there we started with a captive portal

0:42 uh captive portals are kind of the

0:44 abomination for guest wi-fi with all the

0:46 issues around

0:48 the cna the pop-ups not working etc but

0:51 we still supported it and then

0:53 over the last couple of years we have

0:55 built in every single workflow whether

0:58 it's around sponsored guests whether

1:00 it's around oauth mechanisms with social

1:02 credentials

1:04 even hotspot 2.0 right like you know we

1:06 are starting to see especially in the

1:08 retail market customers starting to

1:11 pilot uh hotspot 2.0 and like you know

1:14 we have a good support so we have built

1:16 out a comprehensive

1:18 guest solution right so what's next for

1:21 us

1:22 let's actually conquer iot byod and and

1:26 the corporate devices are laptops and

1:28 macbook pros right and for any of these

1:31 different types of devices like you know

1:33 what we want to get to is seamless

1:36 onboarding

1:37 um unified policy

1:40 most importantly user experience and

1:42 having good visibility around who are

1:45 the people actors on my network and who

1:48 may not be sanctioned to be there

1:50 and overall stitch it together with a

1:52 simplified operation story right

1:55 so

1:57 last november we announced this service

2:00 for iot assurance and there are only a

2:03 few key things to

2:05 note about it

2:06 this was basically a service that came

2:08 out of customers asking for a simple

2:11 solution for headless iot devices

2:14 that do not support 802.1x

2:17 authentication right epls they they are

2:19 headless

2:22 so they have to use multi-pre shared

2:23 keys or private pre-shared keys and what

2:26 customers were struggling with was like

2:28 in a complex workflows in today's like

2:32 you know radius snack solutions to get

2:34 them onboarded assign the right policy

2:36 do the right kind of traffic engineering

2:39 and then most importantly right when you

2:42 think about a distributed enterprise and

2:44 you are actually thinking about uh like

2:47 you know potentially hundreds of

2:48 thousands of these different sensors in

2:51 the in the context of retail networks it

2:53 could be your food safety uh could be

2:56 your thermal humidity sensors in the

2:58 context of the enterprise campus it

3:00 could be your hvac

3:02 and lighting so all of these

3:04 different thousands of devices need to

3:06 be onboarded

3:08 and you need to do it at scale and

3:10 whatever we do at mist obviously one of

3:13 the foundational thing is ai but the

3:16 other thing whatever we build we we do

3:18 build for scale right so in a short

3:20 video we are basically just going to

3:22 explore uh

3:24 iot assurance in action and like you

3:27 know what what this video is going to

3:29 demonstrate

3:30 is our capability to go and

3:33 with a private pre-shared key where we

3:35 use the key as an identity right the mac

3:38 address is not the identity anymore why

3:40 because over the last three years we

3:42 have seen

3:43 google's and apple's of the world what

3:45 they have done with android ios and and

3:48 random macs right so with the key

3:50 becomes the identity how can i onboard

3:51 the device how can i assign the right

3:54 policy set them up for like you know the

3:56 right whether it's tunneling or whether

3:58 it's locally bridging uh the traffic and

4:01 most importantly how do you provide

4:03 visibility right

4:06 so

4:07 in in this particular example like you

4:09 know org wide like you know we have like

4:12 thousands of keys that you can create

4:14 literally there is no limit to the

4:16 number of keys now keep in mind that all

4:19 of this

4:20 can potentially be done natively through

4:21 whatever we provide right what we have

4:24 done here is given your portal to look

4:26 at administer and life cycle manage all

4:29 of these different keys

4:31 in a simple easy to use manner with the

4:34 right set of visibility so here i'm

4:36 actually like you know honing on you can

4:39 have like you know the email address or

4:41 the identity of a user as your key name

4:44 right and with that you can actually go

4:47 and

4:48 like you know assign a right segment of

4:50 the network so this will belong to like

4:53 you know vlan such and such and and that

4:55 iot device will be on a different vlan

4:57 all without the use of any kind of an

4:59 overlay neck radius system right so over

5:03 here you see like you know vlan 750 has

5:06 been assigned to the particular key the

5:09 key again to stress

5:10 is actually the identity because that is

5:13 what prove like you know insulates it

5:16 against your

5:17 uh uh mac randomization and then

5:20 with the role or with the right like you

5:23 know segmentation you can decide that

5:25 this these set of iot devices need to

5:28 tunnel traffic to an application server

5:30 like you know that is like you know in a

5:32 data center somewhere whereas the rest

5:35 of the devices iot devices or users

5:38 sharing the same ssid could potentially

5:41 just locally bridge their traffic right

5:44 the next important thing is visibility

5:46 right who are the users that are

5:48 actually currently using that particular

5:51 key right there have been instances

5:54 uh

5:55 where

5:57 people have actually done pilots right

5:59 and as part of pilots say i have this

6:00 ssid i have this preset key let me

6:02 actually go and administer these keys on

6:05 on these few devices

6:07 then i'm done with my pilot and then

6:09 i've left those devices forgotten that

6:11 provides a security intrusion threat

6:14 right in your in your building so it's

6:16 very important to have visibility into

6:19 who all are using that pre-shared key

6:22 but most importantly also have

6:24 visibility on

6:26 clients that have been registered to use

6:29 but currently not

6:30 using that particular key and that will

6:32 give you some insights

6:36 the next thing that is like you know uh

6:38 important is around administration of

6:40 keys so in our in as part of this

6:42 service we give you the the portal from

6:45 where you can actually look at

6:47 administering or life cycle managing the

6:49 keys uh and probably it has not happened

6:52 to uh

6:53 to any of you but in many cases what

6:56 happens is that we go and

6:58 rotate keys so there's like you know the

7:00 left hand not talking to the right hand

7:02 uh someone rotates the keys

7:05 and then the result is devices get

7:07 disconnected and like you know we are

7:09 going to be able to catch that through

7:10 marvis our connection sls but that is

7:13 actually a real problem and expose facto

7:16 so what if i could actually give you a

7:18 very easy to administer process

7:20 whereby

7:21 like you know you go and

7:23 rotate your keys out

7:25 without having to touch the end user or

7:28 the connectivity of the of the end user

7:30 so here i'm going to filter for all of

7:33 my like i filtered on iot devices and

7:36 i'm just going to duplicate that key

7:38 right so i'm going to duplicate that key

7:40 such that all the connected users are

7:42 still connected and all of my uh

7:45 like and then i can on the original key

7:48 i can go do my key rotation right if i

7:50 have to change attributes on the on the

7:53 expedition or the number of devices that

7:55 can connect like you know all of that is

7:58 done through this process if you had a

8:00 question

8:01 do you need anything on the client

8:03 device that can accept that change key

8:06 uh

8:08 today we do like you know for for any

8:10 client device management you need an mdm

8:13 solution so we are not claiming here to

8:16 be your mdm solution but what we are

8:19 claiming to be is all of your identity

8:21 vectors we are going to just manage

8:23 those right

8:28 the point keith is is that it is still

8:30 the enterprise's responsibility to push

8:33 the new keys to these devices

8:35 we're giving an option for old keys to

8:38 work and new keys to work simultaneously

8:42 and showing you visibility of who's

8:44 hanging on to dear life with the old

8:45 keys

8:47 right perfect thanks thanks keith so

8:49 sorry just because are these new

8:51 different keys or the same key with

8:53 different properties it is actually the

8:56 exact same key so what i did as part of

8:58 this process was i duplicated the

8:59 original key the client devices are

9:01 connected to the duplicate key while i

9:03 go and like you know rotate my

9:06 administer the the original key and then

9:08 at the right time

9:10 that

9:11 particular key can potentially be the

9:12 past phase or whatever needs to change

9:14 can be administered on the client

9:16 devices right

9:19 from the client's perspective is still

9:21 using the same key and then on the

9:23 infrastructure has different properties

9:24 that is correct so the client doesn't

9:26 care what's that is correct yes the

9:28 client doesn't care so this is

9:29 completely transparent to the client

9:31 okay

9:32 so connected to the same society that

9:34 support the ppsk yes can so you can have

9:37 clients that

9:39 are have different policies and their

9:41 traffic get tunneled somewhere and then

9:43 you can have other clients that get

9:45 locally switched that is correct on the

9:47 single ssid we can achieve micro

9:49 segmentation through roles uh and you

9:52 will be able to uh like you know tunnel

9:55 one set of devices so my sony iot

9:57 devices need to go to talk to the sony

10:00 application server i cannot let that

10:02 touch my corporate network that can get

10:04 tunneled and and by the way our

10:06 tunneling solution is missed edge a

10:09 shameless plug over there bob talked

10:11 about it like you know it's a wonderful

10:13 solution so they are all going to get

10:15 tunneled to a mistake and the traffic

10:17 will be dropped at a pop

10:19 while the others will be locally bridged

10:21 can you configure that at the uh wx lan

10:24 policy level well you can actually do

10:27 that just by your network segment so

10:29 like you know you you can use vlan 750

10:32 on that ssid

10:34 for tunnel traffic you can use vlan 710

10:38 for all your locally bridged traffic

10:40 okay right and then the ppsk works with

10:42 wpa3 isu

10:44 um ppsk wpa3 is currently a work in

10:49 progress

10:50 uh and and potentially just stay tuned

10:52 like you know we will have an update for

10:53 you soon okay

10:55 having a hard time tying this with vxlan

11:00 and the policy so how do you tie

11:03 a great question so as i was kind of

11:05 alluding to with with april april um the

11:09 cloud is a place where we stitch things

11:12 together right so you might actually

11:14 have a policy framework for

11:17 vxlan using gbp

11:20 i on the wireless side like you know we

11:22 have wxlam

11:24 on the cloud side the needful stitching

11:26 goes through and the right policies get

11:28 pushed out to access points and switches

11:31 right whether it's like an acl or or

11:34 like you know whatever it may be or a wx

11:37 lan policy so i'm just going to move

11:39 forward to the next use case

11:42 and

11:43 that is around extension and this is

11:45 basically your work in progress

11:48 to be released hopefully by end of this

11:50 month

11:52 like you know if you if you are familiar

11:54 with like you know byod

11:56 like you know workflows they can get

11:58 awfully complex and many times people

12:01 need simple mechanisms for students in a

12:04 in a higher ed uh like in a campus or

12:07 corporate devices corporate users

12:10 bringing their own devices and

12:13 self-administering like you know how to

12:15 get their devices on the network so as

12:18 we are we were developing this uh the

12:20 the private pre-shared key or

12:22 multi-pre-shared key based iot assurance

12:25 solution

12:26 we are extending that and to be released

12:28 this month hopefully like you know with

12:30 uh what we call the self-provisioning

12:33 portal extension to iot assurance and

12:36 what that allows you to do is use the

12:40 say for example your your directory will

12:42 have the identity of the user the

12:44 credential

12:45 and you are going to

12:47 it is completely self-administered a

12:49 user goes and enters his his or her

12:52 credentials

12:53 we are going to do a roll look up roll

12:55 look up like you know whether it's octa

12:57 or azure or adfs

13:00 and then we are going to get

13:03 a qr code returned back to the user the

13:05 user can just scan the qr code and

13:08 basically get on the network right so we

13:11 stitch together a demo uh that basically

13:14 shows the process through

13:16 this role integration with octa

13:21 so like you know over here uh so this is

13:23 basically the the client onboarding

13:26 piece

13:26 and if i just fast forward a little bit

13:30 so you as as part of your administration

13:34 like you know you are going to

13:36 provide a url for all of the users to go

13:39 and register themselves right so that is

13:42 basically so we provide you with a psk

13:44 portal configuration this is this is

13:46 basically where you provide your idp uh

13:50 information

13:51 and then

13:52 from

13:53 like you know

13:55 you also will modify the different

13:58 attributes of that particular psk

14:01 so things like like you know if you have

14:03 to assign a vlan or you have to assign

14:06 like an expiration and all that

14:08 configuration is out there so from a

14:11 user experience perspective what it

14:13 looks like is in this particular case

14:15 i'm going to like in a url that has been

14:18 advertised this is basically your

14:20 octa is used as a role directory

14:23 provider i'm going to go and like you

14:25 know enter my

14:27 email address over there the email

14:28 address is basically the identity of the

14:31 user on the directory uh i am

14:35 signing in and

14:37 we have once the authentication actually

14:39 goes through there's a callback to our

14:41 portal and we are going to give you a qr

14:44 code you can scan the qr code and get on

14:46 the network and the rest of the demo

14:49 covers that in the interest of time i'm

14:51 just going to skip this particular demo

14:54 and move on

14:55 to the last bastion that we are yet to

14:58 conquer

15:01 right so

15:03 if you have we have so we have talked

15:04 about guests we have talked about iot we

15:06 have talked about byod so really the

15:08 last thing to tackle is uh what do we do

15:12 with

15:13 like you know for corporate users right

15:14 and for the longest time we actually

15:17 have very good integration

15:18 with cisco ice aruba clear pass for

15:21 scout

15:22 like you know pretty much or microsoft

15:24 nps free radius anything that you can

15:26 think of like you know we have very well

15:28 documented tight integration of how we

15:31 ingest filter id attributes from clear

15:33 pass into our wx lan policy etc right

15:37 but as and when we were building this

15:39 solution up like you know we started to

15:41 look at like you know what is really

15:42 wrong with

15:44 today's overlay systems for

15:46 and radius and really there are three

15:49 things that that kind of jump up number

15:51 one is deployment and provisioning like

15:53 you know is basically a pain even if

15:56 they offer like in a software containers

15:58 it's rack and stack virtualization not

16:01 quite micro services driven but more

16:03 importantly when it when like you know

16:05 the examples that you have seen today

16:09 there is no single system that is

16:11 actually correlating data from the edge

16:13 the client data from the edge or the

16:15 client experience from the edge to what

16:17 is going on in the rest of the network

16:19 so today what we do is we highlight that

16:21 if a user has had an authentication

16:23 problem we will say that go check

16:26 the radius side of the house right

16:28 especially if wi-fi or wired is not to

16:30 blame

16:31 but someone still needs to know what is

16:33 going on the radio system and you have

16:35 to go through log mining and parsing to

16:37 figure out like you know what is wrong

16:39 and what is broken and and that is

16:42 basically a pain for the user and then

16:44 last but not least like you know goes to

16:47 uh

16:48 all the solutions being non-cloud native

16:50 non-cloud driven

16:52 they lack the agility and scale like you

16:54 know so uh in the world of mist we've

16:57 actually solved all this problem in the

17:00 in the enterprise edge right so our

17:03 aspiration is to really

17:06 provide the or bring the same micro

17:08 services architecture and the ai driven

17:11 insights that we have done for network

17:13 devices

17:14 and then bring it into the

17:16 mac radius market right

17:18 so this is not a product announcement

17:21 this is not a launch of any kind but i'm

17:24 just going to give you a teaser of what

17:26 that actually looks like

17:28 uh in in our world

17:31 and

17:32 role like you know if you've seen wxlan

17:34 like and it will seem very familiar one

17:36 of the important aspects is the policy

17:38 configuration right and and what we show

17:41 in this demo is a simplified like in a

17:44 policy framework instead of having to go

17:46 through three or four different tabs

17:49 to have simple policies for your wired

17:51 and wireless devices in like you know

17:53 this is set up like a wxlan engine uh

17:57 where you have like you know your

17:59 wireless devices that are using uh epls

18:02 uh authentication on the left hand side

18:04 are all the different like you know

18:07 identities the different users

18:10 and the attributes that will provide

18:12 rules to match on so you're going

18:14 through this list like a regular

18:15 firewall trying to find the best match

18:18 and assign the right set of policies and

18:20 and rules right so here we're showing it

18:23 so it's a wireless user using epls

18:26 corporate like an end you can filter on

18:29 like subject of a of a certificate if

18:31 the subject of the certificate is this

18:33 like you know i am now going to put that

18:35 user in that

18:37 like in a corporate vlan and potentially

18:40 assign uh an

18:42 advanced role right uh similarly like

18:45 you know um i'm not going to go through

18:47 the whole thing uh but if you look at

18:49 like you know we do this exact same

18:51 thing for wired devices like you know so

18:53 if you have a uh like a dot one x device

18:56 or if you're doing like in a map and

18:59 it's a

19:00 it's a it's a printer you will assign it

19:02 the the printer vlan right so so this is

19:05 basically one aspect of what we are

19:07 bringing to the table on the surface of

19:09 it is like in a simplified policy

19:12 framework that can be now pushed to the

19:14 switches and um and and the access

19:16 points and by the way our

19:19 the goal number one is to do this on

19:22 juniper miss devices and eventually we

19:24 are going to expand over to third party

19:27 uh infrastructure

19:28 um

19:30 i am

19:31 going to go to the money slide here like

19:33 you know basically this is the bread and

19:35 butter

19:36 of

19:37 where the problems today lie right and

19:39 it is like you know this

19:41 troubleshooting like you know what is

19:43 going on on the infrastructure and the

19:45 clients and what is going on the radius

19:47 side and as i said april cloud is a

19:50 place where we are stitching all of this

19:52 together right

19:54 so here you are going to basically see

19:56 that when i've had an authorization

19:58 failure like in an authentication fail

20:00 exactly why did the authentication fail

20:03 did your certificate like can i have an

20:05 expired year was it incorrect so on and

20:08 so forth right

20:11 yes franco so the radius server is in

20:14 the cloud and you're getting all of that

20:15 regis log into marvis for

20:18 that is exactly correct right it's a

20:20 very resilient high availability

20:21 architecture with like you know lots of

20:24 geo-redundant pods that are going to and

20:26 and i'm probably getting a two-bit ahead

20:28 of myself we will come back and do an

20:30 architecture deep dive but to answer

20:32 your question simply yes so we are

20:35 taking all of the data the cloud is

20:36 where

20:37 uh we configure the cloud is where we

20:39 get visibility but the radius

20:41 authentication really happens

20:43 at a point of presence closer to the uh

20:46 to the user location okay yes it was

20:49 this integrate with something like

20:50 eduroam so if i've got

20:52 it will different like you know

20:54 eventually that is the goal

20:56 whatever mechanisms we have today like

20:58 you know whether it's hotspot 2.0 uh

21:00 like you know to be the like you know

21:02 kind of the provider for a clearing

21:04 house or

21:06 uh like you know all of your

21:08 social social credentials all of that is

21:11 going to be stitched and come under this

21:13 umbrella

21:14 open roaming right

21:17 so so so francois and raul um

21:20 what mist has done

21:21 to the wireless players in the industry

21:24 when when we started

21:26 is what we're planning to do

21:29 what this is going to do for ice and

21:31 clear pass right

21:32 completely step function change the

21:35 paradigm

21:36 of how

21:37 policy get administered natively

21:41 to the systems and cloud native right

21:44 so france what to your point the radius

21:47 server is not in the cloud it the radius

21:50 server is the missed cloud right so um

21:54 so anyway um we're not ready for uh for

21:58 pilots and and production yet

22:00 but we're excited we're we're just

22:02 showing you the progress we're making um

22:05 i think uh we're gonna put the industry

22:07 on notice um on uh when this truly comes

22:10 out uh it's going to be

22:12 an

22:13 exciting uh sort of a turn in in the

22:16 industry in terms of policy and

22:19 thank you very much for everybody that

22:20 was that are watching the live stream uh

22:23 if you're watching this recording uh you

22:25 know post process

22:26 or uh for uh for all the delegates um

22:29 sort of um uh in the room uh truly again

22:32 as as we started um you are part of our

22:35 extended family you you've really helped

22:38 us uh uh through throughout this journey

22:41 and um and you know i hope what you saw

22:44 today is is very simply a manifestation

22:48 of our sort of client to cloud strategy

22:51 of continuing to add you know breadth um

22:55 and depth uh in this client-to-cloud

22:57 journey and obviously there's a lot more

23:00 to do there is a lot more we can do

23:02 everal to your point of things we can do

23:05 so the last thing i will tell you you

23:07 know what is around the corner and what

23:09 is uh you know exciting as we as as the

23:12 year unfolds for us is where does marvis

23:14 go

23:16 um

23:16 where we think marvis can go is imagine

23:19 if marvis had an army of minions

23:22 you know doing things and and learning

23:26 and and coming back and reporting and

23:28 and asserting on the network

23:31 before a user a single individual user

23:35 has to suffer

23:36 we believe there is a

23:38 even better future on on we could get to

23:43 ai that is not predictive not reactive

23:47 but

23:48 100 proactive

23:50 before users experience a single failure

23:53 so there's a lot more we're excited

23:55 about what's around the corner for us

23:57 think of mario's marvis with a bunch of

23:59 minions uh you know checking out the

24:02 network and validating it for you