Product overview

Key highlights

Self-Service portal enables IT to delegate the task of onboarding unmanaged devices to the device owners. Based on users AD group users will be able to administer there devices and permissions.

Implement MAC Authentication Bypass as a supplement to dot1x on your network to network access controll on all ports.

Get segmentation and improved security on one single shared PSK network using iPSK for boarding wireless devices.

Strong audit-trail for unmanaged devices using the audit-log and reference to device ownership.

Features

Use cases

The device portal is a flexible solution that can be adopted to most use cases regarding onboarding of unmanaged devices. The term unmanaged devices refers to devices that is not managed in a central management system that allows the network admin to provision en authentication profile. In some cases also refers to as IoT devices. Read more about unmanaged devices in the article Unmanaged devices in secure networks.

In the following som typical use cases are described for inspiration.

Unmanaged devices in the Enterprise

In a typical enterprise environment, unmanaged devices such as printers, meeting room equipment (e.g., projectors, smart screens), sound streaming devices (e.g., Sonos speakers, Chromecast, Apple HomePod), payment terminals, and surveillance cameras creates a challenge for IT departments. These devices need to be securely onboarded to the network, managed, and monitored without overburdening the IT help desk.

Solution:

The Conscia Device Portal offers a self-service portal that enables device owners or local super users to independently onboard their devices. This process not only simplifies access but also ensures a clearer inventory management system. Here’s how it works:

1. Self-Onboarding: The device owner can enter device details into the Conscia Device Portal, instantly integrating devices into the network without the need for IT intervention.
2. Automatic Access Control: Access to these devices is automatically regulated based on the user’s group associations within Windows Active Directory. This ensures that only authorized users can interact with or manage these devices, enhancing security and compliance.
3. Inventory Management: The Conscia Device Portal provides a comprehensive inventory list of all onboarded devices. This list is invaluable for managing assets, troubleshooting, and ensuring that all devices are up to date and secure.
4. Reduced IT Help Desk Load: By allowing device owners to manage the onboarding process, the Conscia Device Portal significantly reduces the workload on the IT help desk. This not only frees up IT resources for more critical tasks but also speeds up the onboarding process for new devices.
5. Enhanced User Experience and IT Security: The streamlined process improves the overall user experience by minimizing downtime and waiting periods for device setup. Moreover, the secure onboarding process, coupled with automatic access control, significantly enhances the IT security posture of the enterprise by ensuring that only approved devices and users are allowed network access.

Benefits:

• Efficiency: Enables a more efficient process for integrating unmanaged devices into the enterprise network.
• Security: Improves security by ensuring devices are properly authenticated and authorized before being allowed network access.
• User Satisfaction: Enhances the user experience by reducing dependency on IT help desk for device onboarding.
• Compliance: Helps in maintaining a better compliance posture by providing a clear audit trail and inventory of all devices.

Network services in shared facilities

A shared facility houses multiple individual companies or (tenants) within the same building or campus. The facility is managed by a single entity (the owner) responsible for providing network services across the entire area. Each tenant requires access to both wired and wireless networks, with their devices connected securely to their private network segment, regardless of their physical location within the facility.

Solution:

The Conscia Device Portal enables a solution where tenants can autonomously manage their device registrations, facilitating access to a shared network infrastructure while ensuring each tenant’s network traffic remains isolated and secure. Here’s how it works:

1. Tenant Self-Service: Tenants can manage their own device registrations through the Conscia Device Portal, adding both wired and wireless devices to the network. This self-service capability eliminates the need for the network owner to intervene in the day-to-day management of network access for tenant devices.
2. Automatic Network Segmentation: Upon registration, devices are automatically assigned to the tenant’s private network segment. This segmentation is crucial for maintaining security and privacy, ensuring that the data traffic of each tenant is isolated from others, even though they share the same physical network infrastructure.
3. Seamless Mobility: Tenants can move freely within the shared facility, with their devices automatically connecting to their private network segment wherever they are located. This seamless mobility is facilitated by the Conscia Device Portal integration with the underlying network infrastructure, allowing for dynamic assignment of network resources based on device registration and tenant identity.
4. Payment Systems: The device registration and login process facilitated by the Conscia Device Portal can be integrated with payment solutions, enabling a “pay-per-user” or “pay-per-device” model. This model is particularly attractive in coworking spaces or business parks where network usage could be monetized, offering tenants flexible billing options based on their actual usage.
5. No Owner Configuration Required: The entire process, from device registration to network segmentation and billing integration, operates autonomously without requiring manual configuration by the network owner. This significantly reduces the operational burden on the facility’s management, allowing them to focus on providing value-added services to their tenants.

Benefits:

• Scalability: Easily scales to accommodate the dynamic addition of new tenants and devices without requiring significant changes to the network infrastructure.
• Security and Privacy: Maintains high levels of security and privacy for tenants, ensuring that their network traffic is isolated from others.
• Operational Efficiency: Reduces the operational overhead for the network owner by automating the process of network access management for tenants.
• Revenue Generation: Offers an opportunity for network owners to monetize network services through flexible billing models based on usage.

Network for school projects in education

Crafted to meet the distinctive networking needs of educational environments where students and educators engage with connected devices like Arduino boards, Raspberry Pi computers, and various IoT devices.

In educational settings, hands-on projects involving connected devices are invaluable for learning. However, these devices, due to their open and experimental nature, pose significant security risks when connected to the school’s primary network. The devices might run a variety of software, including custom code that could inadvertently expose the network to vulnerabilities. Thus, there’s a need for a segregated network environment that can safely host these educational activities.

Solution:

Here’s how the Conscia Device Portal can provide solution for the educational network infrastructure:

1. Dedicated Lab Network Segment: Establishing a separate network segment by means of an isolated VLAN, VRF, SDA VN or other means of network segmentation. This ensures that experimental and project-specific devices can connect to the internet and other lab projects without risking the security or integrity of the school’s primary network.
2. Self-Service Device Registration: Use the Conscia Device Portal to allow teachers, local IT support, and even students to register and manage their project devices autonomously. This self-service capability empowers users to take charge of their devices while ensuring that the network remains secure and that only authorized devices gain access.
3. Automated Access Control and Network Segmentation: Devices registered via the Conscia Device Portal are automatically assigned to the dedicated lab network segment. This ensures that data traffic from these project devices remains isolated from the rest of the school’s network, mitigating the risk of cross-network security threats.
4. Enhanced Security Protocols: By leveraging the Conscia Device Portal, schools can implement advanced security measures such as MAC Authentication Bypass (MAB) for wired connections and dynamic Pre-Shared Keys (PSKs) for wireless devices. These measures are essential for maintaining a secure network perimeter around the lab segment.
5. Audit Trails and Device Management: The Conscia Device Portal provides robust audit trails and device management capabilities, enabling schools to monitor and control which devices are connected to the lab network. This level of oversight is crucial for maintaining a secure and efficient educational network environment.

Benefits:

• Safe Exploration: Students and educators can safely explore and innovate with connected devices, knowing they’re operating within a secure, isolated network segment.
• Empowered Users: By allowing users to manage their device registrations, the Conscia Device Portal reduces the administrative burden on IT staff and empowers educators and students to focus more on educational outcomes.
• Enhanced Security: The dedicated lab network segment, coupled with the Conscia Device Portal’s security features, ensures that the broader school network remains protected from potential vulnerabilities introduced by educational devices.

Solution

Overview

The device portal is a web-application with two user roles. Administrators and Users. Administrators can view end edit all devices where as users only can view end edit the devices relevant to there job role. User roles are assigned based on AD group*.

The portal is a front-end to Cisco ISE. All devices are created in ISE and authentication of devices are handled only by ISE.

The devices are created in ISE with additional parameters to enable MAB on wired network and iPSK on Wi-Fi with dynamics interface assignment and other parameters that ISE and the infrastructure supports.

Using pxGrid the device portal receives update with devices connects to the network. The information helps the users to clean out old registrations and are used in the audit-log.**

* User validation can also be implemented using ISE if Windows AD is not an option.

** pxGrid is optional

Requirements

Server

• 4 vCPU/Cores
• 8GB Memory
• 500 GB Disk

Operating System

A Linux server that is able to install docker using the docker-install script found on https://github.com/docker/docker-install/.

Please note that docker should not be installed. This will be done by Conscia.

Ubuntu 24.04 LTS using a “minimum install” including openSSH server is recommended.

Cisco ISE

• Minimum supported version: 3.2 patch 7
• Testet version : 3.2 patch 7
• Minimum working version: 2.4p12 or later
• pxGrid feature enabled. For ISE 3.x it requires an advantage license. For ISE 2.x it requires a plus license.

Connectivity

The back-end component of the application need the following connectivity permissions:

• TCP/443 towards all nodes in the ISE deployment
• TCP/9060 towards Admin nodes (primary and secondary) in the ISE deployment
• TCP/8910 towards all pxGrid nodes in the ISE deployment
• UDP/1812 towards ISE Authentication nodes if Radius authentication are used.
• TCP/1433 SQL towards MS-SQL database server
• Outgoing Internet connectivity for installation and upgrade.

Conscia is testing new major and minor ISE releases. The data sheet reflect the latests testet and supported version. For mission critical deployment it is recommended to either wait for Conscia to test new ISE release or do your own testing in pre-prod.

Ordering Guide

• The Device Portal is sold as a yearly right-to-use license in 3 sizes.

• It is installed by a Conscia Engineer. We recommended to use our Onboarding Workshop to ensure the expected outcome for a fixed price. If your regular Conscia Engineer is up for the task and well know around your infrastructure you could opt doing it on normal hour rates.

For deployments exceeding 10,000 devices, please present your business case to us. This will allow us to assess your needs and provide a tailored enterprise licensing solution including custom arrangement for installation, support etc.

Right-to-use license

The right-to-use license grants users the ability to download new software versions, search for solutions to issues, tips, and report potential bugs online. The right-to-use license does not provide any support or troubleshooting support! It is recommended to include a Critical Response subscription with Conscia Service Desk to get access to support.

The Conscia Device Portal is offered as a service. The Right-to-Use license grants permission to use the application for the duration following year, covering up to the number of devices specified.

• Small : Up to 100 devices
• Medium : Up to 1000 devices
• Large: Up to 10000 devices
• Enterprise: More than 10000 devices

This license allows access to new releases of the application, as well as to documentation on Conscia Software Online.

Onboarding

The application is installed and implemented by Conscia on a server prepared by the customer as part of the onboarding. The onboarding includes:

• Installation of software remote by Conscia
• Onboarding workshop together with customer
  • Introduction to the Conscia Device Portal
  • Configuration* of
    • Device Groups
    • AAA Groups
    • Interfaces
    • Device Types
    • Up to 10 initial devices for test
  • Creating of SSID for iPSK or adoption on existing PSK SSID on Cisco Catalyst 9800, AireOS WLC or Catalyst Center
  • Creating a sample template for a switche port config with MAB or dot 1x with MAB fallback on Cisco IOS, IOS-XE or Catalyst Center. (Final implementation on switch ports should be thoroughly tested after the workshop before production implementation).
  • Adaption of ISE Policy Set to match new iPSK and MAB setup.
• Introduction to the Conscia Software Online support site and possible onboarding here.

The onboarding workshop is hosted by a Conscia System Engineer, possible in an online meeting.

* If there is a large bulk of the mentioned items to create we expect the customer to perform this work after the onboarding.

Getting started

If you are already running Cisco ISE starting to managed you unmanaged devices is simple.

Ready to Order

Customers who have already received an offer and are ready to take the next steps can use the request form to provide the needed information and plan the onboarding workshop.

Request a Quote

If you’re considering our services and would like to receive a quote, we’re here to help. Please provide as much detail as possible about your needs and requirements, to enable us to help best possible.

Roadmap

Podman

Running the device portal in RedHat Podman is no longer supported. Customers running the Conscia Device Portal on Podman should begin migration to standard regular Docker / Docker Compose.

Document history

Date	Data Sheet Version	CDP Version	Change
2024-12-04	0.6	2.2	Deprecating og LDAP removed. We decided to fix it.
2024-10-35	0.5	2.2	Comments about ISE 3.2 bug. Clarification about LDAP support.
2024-08-22	0.4	2.2	LDAP auth of user login is deprecated. Use radius via ISE to enable login via AD credential.
2024-04-23	0.3.1	2.0.2	Cosmetics
2024-01-05	0.3	2.0.2	Adding recommendation for testing MAB auth after onboarding workshop
2024-01-02	0.2	2.02	Moving sections around
2024-02-01	0.1	2.0.2	Use Case section added
2024-01-26	0.0	2.0.2	New draft Data Sheet collecting data from older documentation