White Paper

Bring Your Own Device (BYOD)

with Cisco Validated Design
Introduction

Summary

Mobile devices are transforming our culture and posing significant security challenges
for IT managers. People bring their personal devices to the workplace and connect
them to corporate networks. Every smartphone and tablet brings inherent security risks
to an organizations resources and data. The organization cannot control what software
users put on personal mobile devices. Mobile devicesand the data on themmay
become lost or stolen. They can bring malware into a corporate IT network. These
risks expose the corporation to potential security incidents and any resulting lawsuits.
Therefore, IT managers need visibility and control to track what those devices are, who
is using them, and where and when they connect to the network. Organizations need
to then establish and enforce security policies for mobile devices that protect sensitive
and confidential assets from inadvertent or overt compromise.

It is now common for people to use

personal devices in the workplace,
at school, or at the local coffee shop
to access the Internet. People also
use those devices to access their
organizations data. Organizations
need to support several types of data
access scenarios, from employees
accessing internal corporate data to
guests needing to access their own
information outside of the corporate
firewall to remote workers accessing
internal information from the Internet.
The Cisco Validated Design (CVD)
BYOD solution provides secure,
proven designs for internal, guest, and
remote BYOD access.

Cisco Systems offers a BYOD solution, built upon the end-to-end reference
architecture, device configurations, and best practices of CVD. CVD is designed for
Cisco partners seeking fully integrated, out-of-the-box solutions that can be replicated
for multiple customer deployments. CVD is rapid to deploy, easy to manage, and
scalable for future growth.
Combining proven best practices and fully tested reference architectures, the CVD
BYOD solution is a foundational set of security solutions and configurations designed
to monitor and manage onsite and remote mobile device access into a customers
wireless network. Cisco BYOD is a proven solution for Cisco partners that want to offer
their customers greater visibility and control over mobile devices on their networks. The
experts at Cisco have done the planning, integration, testing, and implementation of the
security components and services that protect a wireless access infrastructure from
the security risks of mobile devices.
This white paper offers Cisco partners an overview of the business challenges the
solution addresses, the Cisco solution components, a spectrum of deployment options,
and the benefits of CVD BYOD for end customers.

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

Business Challenges
CVD BYOD offers a smart, cost-effective approach that addresses these critical customer needs:
Proliferation of mobile devices inside and outside the organization. The line between personal and work devices has blurred or
vanished altogether. Customer organizations may not own the devices that are accessing their networks, so customer security
managers cannot control the software and data on mobile devices. These devices may introduce malware or other security
vulnerabilities such as loss or theft that present unacceptable risks to confidential and proprietary applications or data.
Anytime, anywhere wireless access to services and applications. Mobile workers expect to be able to use their smartphone or
tablet to access the Internet and corporate services such as email, calendars, and CRM applications, automatically roaming through
any public or private wireless network without cumbersome or repetitive login procedures.
Consistent security policy enforcement to mobile devices. Security managers may choose to impose a different set of security
policies depending upon the type of device accessing the network. Mobile devices are easily lost or stolen, and security managers
need the ability to deny access to confidential or proprietary information. Further, security systems must adapt to new device types
and operating systems as they come to market.
Regulatory compliance that requires detailed logs of network usage, including mobile devices.

CVD BYOD Solution Components

CVD BYOD is a combination of reference designs and best practices that simplify deployment and management of mobile access to
business resources. Cisco partners can deploy BYOD components for their customers to meet a variety of mobile access security
requirements. This section provides an overview of those BYOD reference designs that are discussed in the next section. The
following figure presents a generic representation of the BYOD solution.
Figure1: CVD Bring Your Own Device

Internet

Cisco Wireless
Controllers
Cisco ASA

Active
Directory

Cisco Identity
Services Engine
(ISE)

Cisco Aironet
Access Points

Intelligent
Access

Server Room
or Data Center

Clean Air Wireless Zone

Attribute-based access control

1026

Cisco AnyConnect

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

Cisco Identity Services Engine

The hub of the CVD BYOD wireless security architecture is Cisco Identity Services Engine (ISE). Cisco ISE sits behind the Cisco
wireless network in order to authenticate and authorize users logging in through mobile devices. Cisco ISE helps customers achieve
a simple, highly secure, and scalable mobility experience through a wireless access infrastructure that automatically identifies mobile
device types, sets policies that define where those device types and users can go on the network, and quickly remediates security
vulnerabilities.
Cisco ISE provides:
Identity and access controlCisco ISE is a policy platform that enables organizations to enforce compliance, enhance
infrastructure security, and streamline service operations. It automatically discovers and classifies endpoints, profiles specific
device types (such as laptop, smartphone, or tablet), provides the correct level of access based on identity, and checks device
posture to facilitate policy compliance.
Authentication and authorizationCisco ISE acts as a proxy to existing Microsoft Active Directory services in order to leverage
the centralized identity database for all network services. Authentication and authorization communicate identity policies to Cisco
Wireless LAN Controllers (WLC), introduced later in this document.
Visibility and managementIts powerful, flexible, attribute-based access control capabilities allow centralized creation and
management of consistent access control policies through end-to-end visibility into connected devices.
Real-time policy enforcement and governanceIts unique architecture allows customers to gather real-time contextual
information from wireless networks, users, and devices, driving proactive governance decisions that result in consistent policy
enforcement.
Cisco Wireless Network
Mobile devices log into the Cisco wireless network through Cisco Aironet Wireless Access Points, which connect into Cisco Wireless
LAN Controllers (WLCs) that route traffic into the wired LAN. The wireless network scales easily to accommodate growth in both the
number of mobile devices and the amount of bandwidth they consume.
Internet Edge
Guarding the flow of traffic between the trusted and untrusted networks are Cisco ASA 5500 Series Adaptive Security Appliances.
More than a firewall, these appliances include a comprehensive, highly effective intrusion prevention system (IPS) and highperformance VPN and remote access functionsas well as optional antivirus, antispam, antiphishing, URL blocking and filtering, and
other content control capabilities.
Secure Client Roaming
Inside client devices, Cisco AnyConnect Secure Mobility Client software enables IT administrators to deliver comprehensive policy
enforcement to mobile employees using advanced mobile devices from different locations. The client connects to the corporate
network through the Cisco ASA appliance at the Internet edge. The Cisco AnyConnect solution offers flexible, granular policy controls
governing endpoint access, along with reliable, secure connectivity with Secure Sockets Layer (SSL) encryption and VPN tunneling.
As mobile workers roam to different locations, with always-on and intelligent VPN, the Cisco AnyConnect client can automatically
select the optimal network access point and adapt its tunneling protocol to the most efficient method. It helps enable built-in web
security and malware-threat defense, giving organizations an option to supplement employee access to corporate resources with
consistent, context-aware security policy.

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

CVD BYOD Reference Designs

CVD BYOD supports a spectrum of four reference designs that Cisco partners can mix and match to meet specific customer
requirements. The solution lays a foundation for more advanced mobile access security infrastructures that end customers can
deploy at any time. The currently available Cisco SBS deployment options are these:
Guest wireless accessprovides basic Internet access to mobile devices
Identification and authenticationallows mobile devices to connect to the Internet and use internal network services while
monitoring their activities
Internal corporate accessoverlays policy controls on what mobile devices are allowed to do inside the corporate wireless network
Remote mobile device accessenables secure connections with corporate IT applications and services from outside locations.
Guest Wireless Access
Most organizations host guest user access services for customers, partners, contractors, and vendors. Most commonly this scenario
gives guest users the ability to check their email and other services over the Internet. These services can include VPN access to
specific applications and Internet access. VPN access is discussed below as part of Remote Mobile Device Access.
This reference design provides Internet access for guest users (Figure 2) and denies access to corporate resources. In the broadest
sense, a guest user can be any mobile device including those belonging to or used by employees, making this architecture a logical
first phase of mobile device access.
Figure2: CVD BYOD Guest Wireless Access

Internet

Guest Wireless
LAN Controller

Cisco ASA

Active
Directory
Internal
Network
Cisco Identity
Services Engine
(ISE)

Guest Traffic
Authenticated Guest Traffic
Tunneled Traffic
Web Auth Redirect

Wireless LAN
Controller

LDAP Request
Guest

1027

RADIUS Request from WLC

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

Cisco ISE includes a complete provisioning and reporting system that provides temporary network access for guests. To enable
guest access, a sponsor within the organization logs into the Cisco ISE sponsor portal and sets up a guest-level account for known
individuals. Cisco ISE acts as a RADIUS server for authentication and accounting. Cisco ISE queries Active Directory to authenticate
the sponsor and then allows creation of a guest account and registers it with the Cisco WLC designated for guest access. The
sponsor can specify start and end dates and times in order to coincide with a contract period or a specific visit.
For example, a sponsor has a visitor coming the following day for a meeting. She sets up a guest account, and the system sends an
SMS text message to the visitors smartphone or tablet with login details. The guest can log in as soon as he arrives for the meeting
and check his email and calendar. After the meeting is over, Cisco ISE notifies the network that the account has expired, and the
guest can no longer log into the guest network.
This solution lets customers offer limited Internet access privileges to guests and track when and where specific guests log in and log
off, providing visibility into guest activities that help the organization protect itself.
Identification and Authentication
This reference design grants all mobile devices unrestricted access to both the Internet and to internal services and applications. This
architecture supports phased deployment of wireless identity services without affecting existing connectivity. Cisco ISE can profile
device types and track their usage. It tracks device activity such as when the device logged in, from which port, and when it logged
off. This setup is valuable for organizations that wish to monitor mobile device activity for regulatory compliance or to gather realtime, contextual information about mobile device usage for developing advanced wireless security policies (Figure 3).
Figure3: CVD BYOD Identification and Authentication

Certificate
Authority

Remote Access VPN

Wireless
LAN Controller

Internet Edge

Active
Directory

Core
Cisco ISE

Data Center
Distribution

Remote Site
RADIUS

DHCP

LDAP

1028

Access

As with guest access, Cisco ISE acts as a RADIUS server for wireless 802.1X authentication and accounting. Cisco ISE configures
Cisco WLCs to accept login requests from mobile devices at both headquarters and remote sites. (A dedicated Cisco WLC manages
guest access as described in the previous section.) Using monitor mode, Cisco ISE logs the MAC address of any mobile device
requesting access and grants unrestricted access without higher-layer authentication and authorization.

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

Internal Corporate Access

This reference design allows onsite users and teleworkers to access the internal network with personal mobile devices by using
their existing Active Directory network credentials. This allows Cisco ISE to enforce policies on mobile devices not owned by the
organization, allowing or restricting access to protect confidential and sensitive information and assets (Figure 4).
Figure4: CVD BYOD Internal Corporate Access

Wireless
LAN Controller

Access
Point

Active
Directory

Tablet
Access

Cisco ISE

RADIUS

LDAP

DHCP

CAPWAP

1029

Data Center

As with the guest access option, this architecture uses Cisco ISE to authenticate mobile devices using Active Directory services. The
architecture then permits or denies access to the internal network, making proactive policy decisions by correlating device identity
with network elements such as access switches, Cisco WLCs, and VPN gateways.
Remote Mobile Device Access
True mobility fulfills its greatest potential when users can securely access corporate applications and services, with the device of
their choice, from anywhere. The device must support a secure VPN with automatic roaming capabilities. For example, a sales
representative depends upon a smartphone to maintain constant access to email, voicemail, and a CRM application as she travels
from meeting to meeting throughout her region. The phone roams between wireless and cellular networks, even from carrier to
carrier, without the user noticing (Figure 5).
Figure5: CVD BYOD Remote Mobile Device Access

VPN Tunnel
Internet

Internal
Network

W ww

Website

Web
Security

1030

RA VPN
Client

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

White Paper

Remote mobile device access uses Cisco AnyConnect Secure Mobile Client software to establish a roaming SSL-encrypted VPN
connection with Cisco ASA at the Internet edge of the corporate network. Behind the firewall, Cisco ISE manages authentication
and authorization as described in previous sections. The device accesses the Internet through the VPN tunnel at the Internet edge,
allowing the corporation to apply firewall, intrusion prevention, and other Web security capabilities in order to protect both the mobile
device and the internal network from malware and other security risks.

Benefits of CVD BYOD

CVD BYOD delivers both business and technology benefits that address the challenges and risks associated with allowing mobile
devices to connect to business networks.
Business benefits
Pre-tested reference designLimits the risks associated with ad-hoc deployments, allowing customers to invest in proven
platforms, stay within budget, deploy on time, and predict operational requirements.
Spectrum of deployment optionsCustomers can plan their implementation in a flexible, phased approach that reconciles budget
and business needs.
Technology benefits
Consistent availability and performance of permitted services and applications
Predictable security policy enforcement with end-to-end visibility
Extensible to future device types and operating systems
Single point of contact for service and support for rapid problem resolution

For More Information

Cisco Bring Your Own Device (BYOD) CVD Release 2.5
BYODAdvanced Guest Wireless Access Solution Design Guide
BYODIdentity and Authentication Solution Design Guide
BYODInternal Corporate Access Solution Design Guide

CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)