Trapeze Networks SP remote access software

SmartPass™ 7.4
DATA SHEET
SmartPass 7.4
Advanced, location-aware access
control with dynamic authorization
for all wireless users and devices.
SmartPass provides policybased dynamic control over
client access, and enables
easy provisioning of secure
guest access by non-IT
personnel.
SmartPass 7.4
SmartPass is a security management application that gives network managers full control
over client access to the wireless LAN. Network
managers can fine tune network access and
authorization to an extent never before possible, both for primary users and guests.
SmartPass is a huge time-saver for organizations
that have a constanly changing user base e.g.
schools, universities, hospitals and hospitality.
SmartPass Integration Architecture
In addition, for enterprises with lots of visitors
who would like wireless access, SmartPass
provides non-IT staff with the means to safely
provision many hundreds of guests, on demand,
and without distracting or tying up scarce IT
resources.
SmartPass is an entire software platform and
ecosystem, which works seamlessly with other
Trapeze components such as the LA-200E
Location Appliance and the award-winning
RingMaster management suite.
SmartPass 7.4 (continued)
Beyond Identity-based Networking
Trapeze Networks pioneered Identity-Based
Networking on wireless LANs and has several
fundamental patents related to managing session keys across distributed databases spanning
multiple WLAN controller. These innovations
resulted in reliable, seamless campus-wide
layer-3 roaming across APs, even when the
APs are managed by different controllers. In
short the identity follows the client anywhere
it roams - indoors, outdoors, wherever.
With time however, it has become clear that
the unique elements of mobility, combined
with the shared media nature of Wi-Fi, calls
for even more intelligent management of
the privileges extended to different users.
Privileges should not be set once and then
forgotten. Instead they should be adjusted
dynamically, based not only on who they are,
but also on where they are, what they are
doing, what time/day it is, and ultimately
upon what others around them are doing too.
Once again, Trapeze is first to recognize and
address this need, and does so in a standards
based way, which takes advantage of existing
RADIUS infrastructure.
Advanced Access Control
Authentication
Are you who you
claim to be?
MAC Addr, User ID,
Password, Keys
Authorization
Conventional
Access Control
Identity, Posture,
Firewall, Encryption
Access Control
Location, Time-of-day,
Bandwidth, Apps
2
Location Integration
With SmartPass, you not only permit or
deny access based on user identity, but can
also change authorization attributes – what
resources the user has access to – on the fly,
based on changing conditions.
An essential ingredient for enabling location
aware policies, is instantaneous access to
accurate up-to-the-minute positioning data
for any client. SmartPass is the only wireless
Access Control software that is seamlessly
integrated with location. It uses positioning information obtained from the Trapeze
LA-200E Location Appliance to allow access
control and dynamic authorization based on a
user’s physical location.
SmartPass works with your other networking infrastructure equipment, such as RADIUS
to enable you to change access to network
resources for users based on dynamically
changing conditions or events. Such condiThe LA-200E provides real time location
tions include the user’s physical location or
positioning for any Wi-Fi device accurate to
change in location, the user’s SSID (wireless
within three meters. SmartPass adds location
network name), after roaming to a new access
information to the user’s RADIUS accounting
point, or based on meeting certain conditions
data enabling the network manager to invoke
from RADIUS accounting, such as session life
policies such as accept/deny, change bandor amount of traffic passed. A user’s access
width, or change allowed resources based on
privileges can be adjusted during the middle the physical location or “locale” of the client.
of a networking session if desired.
Authentication
Access Control Policies
What access do
you deserve?
Still deserve
same access?
Dynamic Authorization
Access Control
with SmartPass
Flexible
Are you Safe,
who you
claim to be?
Guest Provisioning
SmartPass provides industry leading guest
SmartPass uses sophisticated Access Control
access functionality with precise control by
Rules (ACRs) or “policies” to enact dynamic
day-of-week, date range, and
authorization. With ACRs the IT manager has
End Pointtime-of-day,
Integrity
duration. It includes pre-defined profile
extensive flexibility over how they control and
your device
templates for different guest types, including
change access for a user. Using a standards-Can
be trusted?
guest passes for 1 hour, 12 hour, 24 hour, 5
based approach (RFC 3576) SmartPass augdays, 5 days - Business hrs only, and offers the
ments the existing RADIUS server to change
ability to create custom templates. SmartPass
the client’s access to various network resources
also provides the ability to create guest
based on location, time of day, user identity,
accounts in bulk, with intuitive or random
SSID, VLAN, accounting data, and more.
usernames. A pre-existing list of usernames
SmartPass can change authorization attributes
can be imported.
even during active networking sessions, and
invoke ACRs on demand, via the WEB API from
another application, or by time or date via the
built-in scheduler.
Easy to Use for Non-technical Staff
Guest access is one of the most prevalent
applications of wireless networking. Yet most
wireless guest access solutions are so cumbersome and impractical that enterprises are torn
between squandering IT resources to provision
restricted guest access, and an even worse
alternative, simply offering unsecured “open”
network access 24/7, potentially making their
network a perfect host from which someone
could mount a malicious attack on someone
else or merely choke your internet connection.
In contrast, SmartPass is so easy to use, any
organization can plug this security hole,
without burdening IT staff. In fact, it allows
you to offload provisioning to non-IT staff,
and avoid it becoming a disruptive network
administrator chore. A highly intuitive, easyto-use interface completely shields front-desk
personnel from the underlying complexities of
network access control.
Non-technical staff — such as receptionists
and clerks — can easily and quickly provision
guest access accounts on demand, without
requiring any networking knowledge. This
is because unlike most other wireless guest
management systems, the guest records are
stored in a central database, not in the WLAN.
For added convenience, different provisioners
can be assigned to manage only certain guest
types, and cannot alter the guest accounts
created by their peers.
Saves Time for Employees Too
One of the biggest challenges with enabling
guest access, has nothing to do with how
network security is actually enforced, and
everything to do with the workflow required
to provision guests in a timely manner.
Provisioning Guest access is a daily task.
Visitors come and go by the hour, and the
demand for wireless access will only increase.
Hence, huge productivity savings can be made
if the task is made as simple as booking a
meeting room.
3
In most businesses, visitors or guests do not
randomly appear at the front door. No, typically they are invited by an employee. So, if
employees can book meeting rooms themselves, why not let them grant limited access
to their guests, as well. SmartPass makes use
of RADIUS credentials for internal users, to
safely give them self-service Guest provisioning. No other Guest access solution offers this
flexibility or operational efficiency.
And, its perfectly safe, because it is still IT who
ultimately defines the security profiles for different guest types and chooses whether or not
to empower regular employees with limited
rights to grant Guest access.
SmartPass allows employees to grant access
themselves and be done with it, in less time
than it takes them to inform the Front Desk,
or worse to burden IT with such a trivial task.
Guest Credential Notification
In addition to printing labels and companybranded login instructions showing the guest
credentials, SmartPass also allows for Email
and Text (SMS) notifications to the guest
at the time the guest account is setup. This
eliminates manual transcription, removes the
risk of errors, and improves productivity both
before and during the guest’s visit. Consider
how often meeting time is wasted while participants wait for one person - the guest - to
get online.
Scalable Centralized Architecture
Different from other solutions, which write
each guest account to every WLAN controller’s local database, SmartPass uses a centralized guest account database. While other
solutions actually change controller configurations—by adding, modifying, or deleting
guest credentials on individual WLAN controllers throughout the network—SmartPass never
stores guest data to any WLAN controller.
This centralized approach is not only cleaner
and more efficient, it is also more reliable.
That’s because it prevents potentially harmful configuration changes from being made
to critical network hardware by individuals
with no domain expertise, and ensures that
all access security operates independently of
which controllers are in service.
No longer tied to the WLAN Controller platform, Smartpass also scales exceptionally well.
With up to 10,000 users per SmartPass server,
SmartPass is ideal for conventions, universities,
hospitality, healthcare and large enterprise.
Centralized Captive Portal
Another advantage of the centralized architecture, is the way “Captive portals” are managed.
Captive portals are a popular way to manage
network access en-mass, when IT does not
have authority or control over client devices.
With other vendors’ access control systems
the web-page and other components of the
captive portal are tied to the controller hardware - in the same way as guest records are
local. Each WLAN controller has its own local
copy of the captive portal. Consequently, once
you have more than a few controllers, this
becomes a maintenance headache, with the
smallest change requiring replication on every
controller. In contrast, the SmartPass server
keeps only one instance of the Captive Portal
which is served up to any user at any location,
regardless which controller is managing the
users’ authentication.
The centralized architecture also has a direct
impact on the cost of SSL Certificates. Instead
of needing one per controller, only a single
certificate is needed on the SmartPass server.
Session Persistence for Handhelds
With the increased adoption of handheld
mobile devices, session continuity is becoming
a growing problem. In an effort to preserve
battery life, many devices implement a “sleep”
mode that results in the client losing its session and dropping off the network. So when
the user wakes-up the device, they often have
to login to the captive portal all over again,
to access all their applications. For securitysensitive applications such as Electronic
Medical Records which time out quickly, this is
particularly annoying to users, as the applications themselves often time out the moment
the client session is inactive. Trapeze has solved
this problem, by maintaining a form of device
cookie which is used to maintain wireless session persistence.
Open APIs for System Integration
SmartPass is designed to work with external
applications such as credit card billing, guest
registration, facility management, and custom
reporting systems. This allows ad-hoc granting
of secure wireless access to be safely automated
within other business processes. SmartPass
ships with published, open, standards-based,
Web-based open Application Programming
Interfaces (APIs) to make it easy to integrate
its functionality with other systems. Likely 3rd
party applications for such integration include
credit card billing systems, facility management
systems, hospitality registration systems, IPS/IDS
systems and custom reporting systems.
RADIUS Accounting and Reporting
SmartPass is now tightly integrated with
RingMaster. This enables user, location information and activity history to be correlated, and
this allows all manner of custom reporting and
visualization capabilities not previous possible
with either tool on its own. Simple examples
include: Show me the current location of all
guests; Report all users with call detail records
between 10am and 11:00am yesterday.
In future, wired policy managers will be able to
use RFC 3576 and emerging standards such as
IF-MAP to combine policies across both wired
and wireles networks and tap into unified
mobility services.
Key Applications
The applications for such granular and dynamic
access control are unlimited but are illustrated
in the following examples.
Prevent Students from Cheating
SmartPass uses standards-based RADIUS
accounting to calculate and utilize per user
statistics including lifetime session counts and
total traffic passed for session. Reports can be
generated based on these statistics in SmartPass
or RingMaster or from a 3rd party application.
A professor giving a test from 2pm - 3pm in
Classroom 230, has the ability to change wireless access for students instantly to deny access
to the Internet during that time from that
specific location. At the professors’ option,
the students could still have access to relevant
classroom materials on the LAN.
Unified Services Management
Restrict Corporate Guest Access
As wireless LANs become more pervasive, there
is a growing need to bring services together
under common management, so they can leverage thier collective network intelligence.
A large company wants to provide a hired consultant access to the Internet and certain LAN
resources but only while working in an assigned
building or areas of the building. If the consultant tries to access the network from another
location, he will be denied access even with
valid log-in credentials.
Key Features
Lock-Down Bandwidth Abuser A user on the network is consuming an excessive amount of bandwidth. After a utilization
threshold is crossed within a time window,
SmartPass throttles down bandwidth and
priority for that user. For example, a rule can
be set that for any given user, after 10 MB
of download in any given hour, the user is
restricted to only 100 Kbps maximum.
Provide “Free” Access in Lobby
In Hotels, Wi-Fi access is fast becoming an
expected service. SmartPass makes it possible
for Hotel management to offer tiered services
based on where someone is, or perhaps based
on the accommodation or conference package
they purchased. For example, one could offer
FREE rate-limited access in public areas, while
offering higher-bandwidth services for a daily
rate, in rooms, while simultaneoulsy offering
a metered service for conference attendees.
Extra Security for Sensitive Networks
All users can be prevented from accessing the
network from unauthorized locations even
with legitimate credentials. This adds an
extra layer of security against offsite attackers who may have stolen legitimate credentials, e.g., “the parking lot hacker”.
User Access Control
2
4
• Creation of custom policies – Access control rules – based on a combination of filters such as:
• SSID
• User Name pattern (e.g. domain\username)
• User Type
• Location
• Accounting (lifetime or session)
• Time of Day
• VLAN
• Disconnect or change access attributes such as ACLs, bandwidth restrictions, or quality of service markings dynamically
for any user session on the network
• Location based policy control with ability to apply various policies based on identity in the same location
• Adds additional layer of security
Guest Management
•
•
•
•
•
•
Flexible and customizable guest profiles
Customizable coupons
Guest access reporting
Bulk user creation
Optional ways to block unauthorized guest access such as multiple sign-in, excessive password retries
One click lock-out of guest user
Policy Management
• Separate roles for Administrator, Provisioner and Self-sign user
• RADIUS Authentication for provisioner roles
• RADIUS proxy to authenticate against any RADIUS server
Reporting and Accounting
• P er user or MAC access reporting
• Physical location (from LA-200) information as a part of session reporting
• Customizable data traffic and client connection reporting via API
Third Party Integration
•
•
•
•
Fully open, easy to use REST API
Covers all aspect of the application including:
• Access Control
• Location Based Firewall
• Custom Reporting
• Guest Access Integration Customizable centralized “Captive Portal”
Guest user notification via email or SMS
Supported OS
• Windows XP (SP2 and higher)
• Windows 2003
• Windows 2008
• Windows 7
• Linux Suse 10.2 and higher
• Red Hat Enterprise Linux 5.0 and higher
• Supported Browsers:
• Internet Explorer 7.0 and higher
• Mozilla Firefox 4.3 and higher
Ordering Information
Ordering Information
SP-GA-BASE
•
SP-GA-nn
•
SP-SM-UPGR
•
SP-SM-nn
•
SP-SECURITY
•
SP-EVAL
•
5
SmartPass Guest Access Base License; Includes 50 guest accounts
SmartPass Guest Access License for additional 50, 100, 500 or 2500 guests; requires current / previous purchase of SP-GA-BASE or SP (SmartPass 7.1 and earlier). Includes bulk user creation, web API, RADIUS based roles, coupon customization and html and PDF printing
SmartPass Subscriber Management Base License; Used to upgrade from SP-GA-xx to equivalent SP-SM-xx. All guest access features plus external web portal authentication, RADIUS proxy, guest notification (SMTP and SMS), access control, per-user reporting, extended web API support
SmartPass Subscriber Management License for additional 50, 100, 500 or 2500 accounts; requires current / previous purchase of SP-GA-BASE, or SP (SmartPass 7.1 and earlier). All guest access features plus external web portal authentication, RADIUS proxy, guest notification (SMTP and SMS), access control, per-user reporting, extended web API support
SmartPass Advanced Security Feature License; Includes location (LA-200/LA-200E) integration; Dynamic Access Control based on Network Usage, User Identity and Location; requires the current / previous purchase of SP-GA-BASE, SP (SmartPass 7.1 and earlier) SmartPass Evaluation License – 90-day evaluation, supports up to 50 guest accounts, separate provisioner and administrator access, bulk user creation, access control policies including location integration, Web API, web portal authentication, SMS and email notification
© 2010 Trapeze Networks, Inc.
www.trapezenetworks.com
DS_SmartPass_082710