BYOD Solution Components

Each of the following components makes up the Cisco BYOD solution. See Figure 4-1 for an idea about where each respective Cisco component fits in topologically within the overall Cisco BYOD solution:

BYOD devices: These are the corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location. This physical location can be within the corporate campus, the branch office, the home office, or from a public location such as a coffee shop or hotel. BYOD devices include laptops, smartphones, tablets, e-readers, and notebooks.

Wireless access points (AP): Cisco wireless APs provide wireless network connectivity to the corporate network for both corporate-owned and personally owned BYOD devices. These APs can be physically located in the corporate campus, the branch office environment, or in the home offices of the employees.

Wireless LAN (WLAN) controllers: Cisco WLAN controllers (WLC) serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution. WLCs are used to implement and enforce the security requirements for the BYOD solution that map back to an organization’s security policies. The WLC works with the Cisco Identity Services Engine (ISE) to enforce both authentication and authorization policies on each of the BYOD endpoints that require connectivity to the corporate network, both direct and remotely.

Identity Services Engine (ISE): The Cisco ISE is a critical piece to the Cisco BYOD solution. It is the cornerstone of the authentication, authorization, and accounting (AAA) requirements for endpoint access, which are governed by the security policies put forth by the organization.

Cisco AnyConnect Secure Mobility Client: The Cisco AnyConnect Client provides connectivity for end users who need access to the corporate network. For users within the corporate campus, branch, and home offices, the AnyConnect Client leverages 802.1X to provide secure access to the corporate network. For users who are using public Internet access (coffee shops, hotels, and so on), the AnyConnect Client provides secure VPN connectivity, including posture checking, for the user’s BYOD device.

Integrated Services Routers (ISR): Cisco ISRs will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. In addition, the ISR will provide both wired and WLAN connectivity in the branch office environments. Finally, the ISRs can be leveraged to provide VPN connectivity for mobile devices that are part of the BYOD solution.

Aggregation Services Routers (ASR): Cisco Aggregation Services Routers (ASR) provide WAN and Internet access at the corporate campus and serve as aggregation points for all the branch and home office networks connecting back to the corporate campus for the Cisco BYOD solution.

Cloud Web Security (CWS): Formerly ScanSafe, Cisco Cloud Web Security (CWS) provides enhanced security for all the BYOD solution endpoints while they access Internet websites using publicly available wireless hotspots and 3G, 4G, and 4G LTE mobile networks.

Adaptive Security Appliance (ASA): The Cisco ASA provides all the standard security functions for the BYOD solution at the Internet edge. In addition to traditional firewall and intrusion prevention system (IPS) functions, the ASA also serves as a VPN termination point for mobile devices connecting over the Internet from home offices, branch offices, public wireless networks, and 3G/4G/4G LTE mobile networks.

RSA SecurID: The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication.

Active Directory: The Active Directory (AD) server enforces access control to the network, to servers, and to applications. It restricts access to those users with valid authentication credentials.

Certificate authority: The certificate authority (CA) server provides for, among other things, the onboarding of endpoints that meet certificate requirements for access to the corporate network. The CA server ensures that only devices with corporate certificates can access the corporate network.