Summary - Avaya WLAN 8100 Technical Configuration Manual

Implicit BYOD support
1) Rule 1: Match corporate devices. Corporate devices (or corporate device type OUI) are defined in
the local store of Identity Engines.
2) Rule 2: Match guest users: Guest users are identified by username/group.
3) Rule 3: Implicit match for all other devices, and assigned BYOD profile.
Eliminating rule 3 would serve to essentially deny authentication from any non-approved device,

so this approach could be used to attempt to deny use of BYODs. Alternatively, modifying rule 3
to place all other devices in the guest VLAN can serve to allow BYOD use, but give them the
lowest possible trust, that is, Internet access only just like other guest users.
Explicit BYOD support with bulk corporate device authorization
1) Rule 1: Match BYOD devices. BYOD devices (or OUI wildcard list) are defined in the local store
of Identity Engines. BYOD policy is applied for matches.
2) Rule 2: Match corporate users. Support is implicit by not matching rule 1 and having a valid
corporate user account. Additionally security is improved if this rule incorporates matching an OUI
of common corporate owned devices, like "Dell laptops", "HP printers", etc.
3) Match guest users. Guest users are identified by username/group.
Avaya's Identity Engines supports bulk import for ease of provisioning large amounts of records

gathered by automated device auditing process. This will allow you to implement the level of
granularity of security policy without making the configuration overly cumbersome.
More BYOD Options with Identity Engines Release 8.0
•
This Technical Configuration Guide is based on Identity Engines release 7.0
•
Identity Engines release 8.0 offers additional BYOD access control capabilities with the new
Ignition Access Portal.
•
The Ignition Access Portal serves as a Captive Portal for both wired and wireless users with the
capabilities to profile devices and automate creation of device records. This allows organization to
automatically profile devices by identifying if for example a device is an iPad with its specific OS
version, automatically create a device record with the device MAC address and associate it with
the user.
•
Hence, more alternatives for Access Policies are available such as basing access rules on
authenticating users and allowing only Androids, Blackberry, or iPads with specific OS versions.

3. Summary

Creating a policy for allowing and supporting BYOD devices is a requirement in today's business
environment. Determining the right level of access for employees and their devices is something every
enterprise has to decide for itself, based on risk assessment, convenience, and support requirements.
Implementing the policy so that network devices can enforce the IT security policy should be easy with
the flexibility and security capabilities that Avaya's WLAN 8100 series and Identity Engines provides
collectively. This guide, while not comprehensive or exhaustive with respect to all the possibilities,
attempts to show how such a policy can be configured.
August 2011
Avaya Inc. –External Distribution
avaya.com
61