Customer: Mapua Institute of Technology

CGX Access POC Plan Partner: Microbase Inc.

Revision Date: May 16, 2017

Schedule
Setup Dates:
Days: 1 - 2 days for setup and configuration, with 1 day show and tell and hand-over.

Key Customer Requirements (adjust as required):

Local Area Network

1) Full Visibility for the end-user segments

2) Prevent Rogue \ Unknown device on the LAN segments
3) On LAN, no network changes should be made
4) AD joined devices should be allowed full access to the corporate network
5) Devices not managed by Anti-Virus should be restricted
6) Solution should fail-open

Wireless LAN

1) Full Visibility of the end-user segments

2) Require BYOD devices to be registered
3) Provide a mechanism for Guest Registration and automatic expiration

Testing Prep Questions \ Prerequisites

1. Which subnets will be used for testing? Complete table below

2. Will customer provide VMware infrastructure to host CGX Access virtual appliance?
Minimum Requirements: Dual Core CPU, 2GB RAM, 10GB HD space
We have an existing VMWare infrastructure to host the virtual appliance (see below for the
specs of the server)
3. Does the VM infrastructure have access to each of the VLANs to be tested? Yes.
4. Can the customer provide a VLAN trunk with the VLANs to be tested? Yes.
5. Does the customer have an Active Directory Server? Desirable: a) AD integration can be
configured so managed devices are given full access by default b) Device registration
The test environment segment has an AD server.
6. Does the customer use Symantec, Sophos, McAfee, or Trend Micro Anti-Virus? Is AV
integration desired?
I think we can skip over this feature since we use Microsoft Forefront as our AV .

Subnets to be tested
Network Segment Location\ Info Use Case VLAN ID \ IP Ranges
Test Environment Datacenter Will host VM VLAN 1000
Segment appliance and
captive portal 172.17.100.1 –
172.17.100.254
Test Environment HQ – end-user segment Company owned VLAN 1000
Segment devices only 172.17.100.1 –
172.17.100.254
Staff SSID HQ - Uses pre-shared key, BYOD, no corporate VLAN 1000
want users to register their owned, no guests 172.17.100.1 –
devices with AD account 172.17.100.254
Guest SSID HQ - Guest must register Guests only with VLAN 49
for access account expiration 192.168.49.1-
192.168.49.254

Configuration details
Setup required Purpose Customer provided info

VMware Infrastructure Host CGX Access VM appliance VMWARE

Who provides? Model: PowerEdge 6850

CPU Cores: 8CPUs x 3.391Ghz

Processor: 4

Cores Per Socket: 2

Logical Processors: 16

Intel® Xeon ™ CPU 3.40GHz

RAM: 16GB

VMware networking CGX Access must have access Host Server is configure to be
to each of the subnets to be trunked and virtual NICs can
Virtual Adapters and\ or trunk tested on. be configured for VLAN
ports? assignment.

Static IP for management Manage CGX Access 172.17.100.200/24

Static IP for landing page BYOD \ Guest captive portals 172.17.100.201/24

Active Directory IP Optional: Integration\ 172.17.100.11/24

BYOD registration

Active Directory suffix Integration\ BYOD registration mapua.edu.ph.local

Active Directory account – any Integration – domain joined mapua\mdtdelfin

account will work devices will be given full access
mapua123

AV brand and IP Optional: AV integration for Microsoft ForeFront

compliance checks

AV SQL database Required for Sophos, McAfee, N/A

and Trend Micro AV
compliance checks
 AV SQL account Required for Sophos, McAfee,
and Trend Micro AV
compliance checks

Email server Used for sending alerts NONE

Server and account details?

POC Test Environment

CGX Access Server
Managed IP Address:
Username: admin
Password: admin

POC Results
User Type Compliance with Access Rights
Policy
Managed PC that is Yes Full Access
compliant with all
security requirements
Managed PC that is not No Limited Access with Remediation Access
compliant with critical i.e, AV updates
security requirements
White-listed Device NA Full Access
Unknown device NA Restricted Access
BYOD device NA BYOD Access
Guest device NA Guest Access

POC Check List

LAN \ WLAN Control:

AD joined devices have Full Access with transparent end-user experience.

Unknown endpoints should be detected in 15 seconds or less

Unknown devices are quarantined immediately.

 Unknown devices should be redirected to a captive portal page

Unknown devices cannot send traffic to whitelisted devices or servers on other network
segments. Pings fail. Note: Can be configured so protection is extended to all full access
devices.

Devices flagged as blacklisted should be quarantined immediately

Devices not compliant with AV policy should be assigned Limited Access

Verify the ability to resume full access after becoming compliant.

Demonstrate the ability to redirect web traffic while under quarantine

Devices granted Guest Access should be limited to internet only

Access control changes occur in less than 10 seconds

Audit Capabilities:

Detect if device is domain joined

Detect if AV real-time scanning has been disabled

Detect If Antivirus is updated with-in 14 days

Detect if device is enrolled for Windows Updates

Guest \ BYOD:

Policies can be set to limited who bring devices and the type of BYOD devices allowed

Policies to limit the number of devices allow per employee \ guest

Employee (sponsors) should be able to create guest accounts for their visitors

Employee (sponsors) should allow their guest to create their own guest accounts

Guests should be limited to specific network segments or internet only

Guest accounts should expire automatically with predefine support for several predefined
values

Should allow for guests to be promoted to Consultants with greater network access
Visibility Reporting:

Show OS devices pie chart - Overview

Show Access Assignments - Overview

Show Device Manager for audit details

Show Guest Reports

Show BYOD Reports

Screenshots after POC

Overview
Dashboard
Network Map