On our latest epsiode, Jim and John are joined by Christopher Mohammed, PLM for RUCKUS CloudPath, to talk about some of the best things that CloudPath can do, that perhaps you weren't aware of.
Intro music by Alex Grohl, available here:
https://www.youtube.com/watch?v=ZsRWpx8VJ_E
and
https://pixabay.com/users/alexgrohl-25289918/
On our latest epsiode, Jim and John are joined by Christopher Mohammed, PLM for RUCKUS CloudPath, to talk about some of the best things that CloudPath can do, that perhaps you weren't aware of.
Intro music by Alex Grohl, available here:
https://www.youtube.com/watch?v=ZsRWpx8VJ_E
and
https://pixabay.com/users/alexgrohl-25289918/
Episode 68 - Chose you own Cloudpath
John Deegan: All righty. And just like that, we are back with another episode of the RUCKCast. Hi Jim. How are you?
Jim Palmer: I'm hanging in there, John. How are you doing?
John Deegan: I can't complain. And we have a third person with this again. This is like, we're getting way too serious man.
Jim Palmer: It is. We're gonna have to stop this. Well, we missed a week cause I was sick, so.
We we're not that serious. Let's be, let's be honest with you, I didn't roll outta my deathbed to to record, so we're, we're only kind of serious at this point.
John Deegan: Well, I guess we should introduce this, this person, since we've,
Jim Palmer: it kind of fits Cause he's, he is not serious at all. So this is gonna be
John Deegan: Not at all, this is, this is why it's, it's a good thing we don't have the video feed for the podcast unfortunately. This is just for our benefit. We're laughing cuz he's hamming it up. But with us today is the Cloudpath, PLM himself, Mr. Christopher Mohammed.
Christopher Mohammed: Good day everybody. Yeah. Thanks for having me. I'm excited, Chris. Yeah, yeah. Is.
John Deegan: I was gonna say, should we call him Christopher?
Should we call him Chris? Should we call him C-Mo? I think everyone,
Christopher Mohammed: You know, it's funny, it's, it whenever go to any meeting there's, you know, like six Chrises. So, so I, I always introduce myself as Christopher. So when they say, Chris, I know not to pay attention, but as soon as they say Christopher, have to perk up and go, I'm sorry, can you please repeat the question?
Jim Palmer: Because you weren't paying attention. Yeah, yeah. That sounds sounds about right for the, the Christopher we know and love. How you doing, Chris? Oh, sorry. How you doing, Christopher? Oh, by the
role? Yeah,
Christopher Mohammed: Just just peachy here. It's all of a sudden it's winter again in Toronto, which is interesting.
I thought what's the saying for March in, in like a lion out like a lamb or something like that?
John Deegan: Something like that?
Christopher Mohammed: Yeah. Yeah, yeah. It's it's, you know, yesterday we had Thunder showers, lightning and a snowstorm all in the span of about 45 minutes.
John Deegan: Nice.
Jim Palmer: That sounds about right for spring. Yeah.
Christopher Mohammed: Yeah. No. Is that for you guys as well?
John Deegan: Pretty much, yeah.
Jim Palmer: Pretty much. Yeah.
This has been a very rough, rough couple of months. I mean, it's just like, cuz normally like I'm in Denver and which is conveniently enough, really close to where the original Cloudpath office used to be. And it's been so much snow. Every...
Stop it, Chris.
It's been,
Christopher Mohammed: hi, what is wrong? This is a serious podcast, Jim.
Yeah, we've
Jim Palmer: So anyway, so Cloudpath.
Christopher Mohammed: So that took 10 minutes to write, by the way, and I wrote it backwards for you guys. I don't know if you guys saw it, but, sorry, go ahead, Jim.
Jim Palmer: What? I thought you had a brand new camera that didn't need things written backwards.
What type of camera did you get there?
John Deegan: You just need a button on the camera.
Christopher Mohammed: Which one? Sorry.
John Deegan: I thought you just have a button on the camera that makes it not mirrored.
Christopher Mohammed: That probably is true. I don't know how to use computers.
Jim Palmer: Well, it's funny. It's funny because the Marshall Amps in the background there behind you.
I can read that. And they're not backwards.
Christopher Mohammed: No, they're not.
John Deegan: No, never been.
Christopher Mohammed: It's funny. So hold, was it backwards when I held up the sign?
John Deegan: No.
Christopher Mohammed: I did it, guys.
I did it.
Jim Palmer: Are you sure you wrote it backwards? Are you sure? Are you sure of anything at this point? All I can tell.
John Deegan: There is no drug testing on this show, so
Christopher Mohammed: No judgment. Alright. Alright. Where, where were we?
Jim Palmer: Cloudpath, you, you, you have something to do with Cloudpath?
Christopher Mohammed: How many, how many
clips are we gonna get out of this?
Outta this?
John Deegan: Hopefully one.
Jim Palmer: Well, that sounds like work and we're not about to work, so, so yeah,
John Deegan: just one.
Jim Palmer: So Cloudpath, what? You, you, you might know something about Cloudpath. Why don't you, for people who don't know, let's start there. People who don't know.
Christopher Mohammed: Yeah.
Jim Palmer: Includes a specific person that we were talking about earlier.
Christopher Mohammed: Mm. Who he is on podcast.
Jim Palmer: No. Well know. Well, yes, maybe we could be
John Deegan: we should actually,
Jim Palmer: no, I'm gonna send this link to 'em. But anyway, for people that we're in Brazil this week, that week of, we're recording and don't know anything about Cloudpath, why don't you go ahead and give us a, a little intro to what is Cloudpath.
Christopher Mohammed: Yeah. Yeah. Great. Great question. You know, we, we purchased Cloudpath, you know, RUCKUS did, you know, I think it's like seven years ago. And it was originally meant for secure onboarding guest and BYOD onboarding. And the product is really take in shape to be the ability to provide identity on the network, policies, and role-based access control.
So, as a user or as a network administrator, you know, knowing who's on the network. What policies should be applied to them? What roles should be applied to them is what Cloudpath could actually provide. You know, I look at, you know, I've been with RUCKUS 10 years and we didn't have anything, anything like this when I first joined the company.
And you know, you would have people join the network and they would ask, well, you know, who's on the network? And you'll be like, well, you know, that's up to your RADIUS server. Or, you know, if it's a PSK, we're gonna look at it by host names. And then we bought Cloudpath. Then we thought, you know, look, we can actually provide identity for users and devices that are connecting to the network.
And then we could take that identity and now we can provide policies based on that identity. So if you're a student, faculty, even IT administrators, we can say, Hey, you know, you can have a policy based on your role on that network. So giving people the privileges that they only require is something that, you know, Cloudpath can do and then just not on wireless or maybe just not on TLS, or, you know, we can provide those policies and actually tag that user and all the devices they're using to provide those policies on any type of network.
So if you are wired network wireless, TLS, PSK, MAC based authentication, PEAP, you know, we can provide the same policies throughout the entire network that that you're joining. I see you guys typing away there. So let's
Jim Palmer: yeah, we're, we're, we're talking to people,
Christopher Mohammed: not in this video here.
Jim Palmer: Well, no, we're, so here's the, I mean, we're, we're actually trying to figure out like a lot of what you said, right?
You said, you said identity you.
Christopher Mohammed: This is 30 minutes just in what I said, so this is good.
Jim Palmer: Right? So, well you said identity a lot, right?
John Deegan: He's Canadian.
Christopher Mohammed: No. Right. Okay. What, what's the American word for identity? Hm.
But, but no. But see, I we're,
Jim Palmer: I think, I think as Americas we're having an identity crisis. But that's a podcast topic for different days.
John Deegan: Yeah.
Jim Palmer: So I wanna go back to the identity thing, cuz this is, this is always fascinating to me.
Christopher Mohammed: Yeah.
Jim Palmer: So you were talking about like providing an identity even though I'm being onboarded. Yeah. So, As, as, as the Jim, you know, dumb guy, end user. How does that look to me? How does, how do I experience this? Oh, I'm being provided an identity even though I'm being on, I mean, how do, how do you tie those two things together to where, you know, I roll in, I'm Jim, I'm a either a brand new student, brand new employee, what, what have you,
Christopher Mohammed: Right.
Jim Palmer: How, how does that initial interaction look like for me as, as rolling in on day one of
Christopher Mohammed: Yeah.
Jim Palmer: In the organization?
Christopher Mohammed: Yeah. Yeah. And this could be something that happens day zero, right? So even before you actually roll into, into the, you know, your place of work or school, you can go ahead and actually go through Cloudpath workflows to actually get.
Onboard, onboard those devices. So think of it as you know, maybe as a student showing up to campus for the day one, right? So, you know, maybe on break they get a package saying, Hey, welcome. You know, welcome to campus. Congratulations that you know, you're gonna be joining the school in, in, in September, or whenever the school year starts.
You know, if you wanna get yourself online before when you show up, that your device just works. Go ahead and do this, and here's the link to do that, and here's your credentials. However, those are presented to the, to the end user. So as an end user, I would click on a link, or if I was on campus, you know, connect to an onboarding WLAN or plug into port, and I'm automatically redirected to that onboarding page.
I would then be presented with say, something like an acceptable use policy, and then within Cloudpath we can tie into any type of identity providers that that you want to use. So if it's Google, Azure, on-prem active directory, some other OAuth or SAML provider Cloudpath can create, create that connector for you.
So you would go ahead, enter in your credentials, username, password, whatever those, those are. Cloudpath on the backend would go out, validate that you're you, provide whatever group membership, other identity information that, that we need to, and then go ahead and provision that device to get on the network and, you know, using certificates as one way.
But if you want to use something like a RUCKUS DPSK or MAC based authentication or PEAP, we can also do that as well. So the ability really to go out and grab information from an identity provider and then present it to you. So as you use those devices, we actually know that it's, you know, Jim's tablet or Jim's Windows machine, or Jim's Roku device, whatever that's gonna be.
So now we're actually giving identity of that user and his devices on the network.
Jim Palmer: Okay,
John Deegan: So, so you're talking about end user devices and certificates and identities and things like that. How are we getting that cert to the end user device? How does Cloudpath do that?
Christopher Mohammed: If we're doing certificates, we could actually provision those devices within the workflow.
And there's, there's a couple different ways to do it. So if you, if your device is, say IT managed right, and they have some type of MDM or even it's tied into say, you know, active directory you know, we can automatically provision those devices without any type of user interaction. So if you have Intune or Endpoint Management System, or Casper or Jamf or something else doing your MDM management, we can provision those devices automatically, right?
With no user intervention. If it's tied into, say, active directory within Cloudpath, you can build an MSI and then deploy those through some group policy, object and Active directory, and automatically provision those devices. Now, if they don't fall into those two camps, you know, if it's a user, it's a BYOD device, or even guest devices.
If you wanna do things like certificates, Cloudpath will automatically onboard those devices. So as a user, you can go through a workflow, provide your identity, and then you know, Cloudpath will actually provision those devices with the certificates that are necessary to provide identity onto the network, as well as move your device to the secure network.
Jim Palmer: So I think this is a really important thing. Because with the introduction of 6 Gigahertz two years ago, has it been two years since we first heard, and you know, were promised 6 gigahertz stuff. But anyway, with 6 gigahertz WPA3 is now this, you know, this big thing because WPA3 is required in 6 gigahertz.
And I know, Christopher, this is a conversation you and I have had
Christopher Mohammed: mm-hmm.
Jim Palmer: In the past is about the idea about, okay. We have to do WPA3. There is no open anymore. There isn't any of this other stuff. So we have to come up with either, you know, an SAE connection, an OWE connection or an enterprise connection.
And I know for a lot of the people and customers that I talk to, part of their problem that they have is they go, we really want to go with like an EAP TLS, you know, 802.1X, you know, actual enterprise type connection, but we don't know how to get the certificates onto all of our client devices. You know, we have a thousand devices or we, or 10,000 devices, or however many they have.
Christopher Mohammed: Mm-hmm.
Jim Palmer: And so this is always a question in my field is how do you build that? Is, I just want to sort of ask the question again. Is Cloudpath an answer to this? Is Cloudpath an answer to where we say, Hey, you know what, if you know, pushing into WPA3 and
Christopher Mohammed: mm-hmm
Jim Palmer: 6 GHz, if you really want to do this and you wanna do it right and your're fee and your concern is, how do I get certificates onto my devices so I can run an EAP TLS network?
Is this something that you know, can be stood up and then, and then go, okay, everybody, we're now migrating to 6 gigahertz. So, Now that the device, now there's no question about does the device support, because if it supports six gigahertz, it has to support, you know, WPA3 and I'm, I haven't heard of any device that's like, oh, well we support OWE and SAE, but we don't support, you know, enterprise.
Christopher Mohammed: Mm-hmm.
Jim Palmer: Is this, is this a solution for that?
Christopher Mohammed: Yeah, that's a good point there, Jim. You know, why don't every time we talk certificates, for some reason it's this big scary thing.
Jim Palmer: It is.
Christopher Mohammed: Mean, it's really important. Yes. It, you know, everyone gets you know, like, well, I don't understand certificates, but, you know, talk to me about OSPF for something else, and I'll, I'll, I'll, and, you know, I get that. But I'm like, well, you know, it's, and, and, and the really, the goal was of for Cloudpath is really to make that as easy as possible.
Right. We understood that it was the, kind of the gold standard for security using EAP TLS. But there were required interaction to get those certificates on those devices. Right. And, and, you know, Cloudpath figured it out years ago how to make it as simple as possible. So, you know, putting those devices on the network is, is what, you know, Cloudpath has done traditionally.
Very well get the certificates on the device, move them to a secure network, and now with six gigahertz and WPA3 only, well, you know, certificates becomes, you know, almost mandatory for those enterprise devices on WPA3
John Deegan: Love certificates.
Jim Palmer: Well, and
Christopher Mohammed: as the eye roll. As the eye roll certificates.
John Deegan: Well, I mean, how many times have you seen the, them being the problem, right? Expired certificates, wrong certificates.
Christopher Mohammed: Mm-hmm. Right. Didn't get the certificates right, right. Yeah.
Jim Palmer: So is that something, I mean, John brings up a good point.
One of the scary parts about certificates is this idea that. They expire, you know?
Christopher Mohammed: Right, right. Yeah.
Jim Palmer: You know, it's like, how many times have people gone to a website and it's like, oh, the certificate expired on the website, and that's just,
Christopher Mohammed: Well, I don't know what website you're going to. I may have an idea.
Jim Palmer: Well, we,
John Deegan: It was a family show.
Jim Palmer: We, we especially weren't recording when we had that discussion earlier.
Christopher Mohammed: Is that podcast 2, that happened? I dunno.
John Deegan: It's like after dark.
Jim Palmer: No. Okay. No. So HTTPS certificates aren't exactly the same. Are are they the same thing? And this is the, this is the whole thing is because it's just, and I think part of the problem with certificates is we just sort of throw this name, this term around, right?
Oh, it's a certificate. You know, when you say stuff like OSPF, and John, just for your edification, OSPF is a routing protocol.
John Deegan: I, I know what it means.
Jim Palmer: He's not a, he's not a switch guy. Yeah, he's not a switch guy. He calls every day. It's like, switch questions from John is like, I need to have, we need to have a whole podcast switch, switch.
John Deegan: I know what OSPF is.
Jim Palmer: Okay. So anyway, but when you say OSPF, it's a very specific thing. I mean, everybody knows exactly what you're talking about when you, but when you say certificate, it's just, it's, to me, it almost feels like this catchall term, right? Oh, certificate. But what exactly does that mean?
Christopher Mohammed: Yeah.
Jim Palmer: So, So, yeah,
Christopher Mohammed: there's different, oh, go ahead. I'm sorry.
Jim Palmer: I'm well, but No, I mean, but the question, so there are different certificates, but then there's also the question of the certificates expiring is that, you know, if I have Cloudpath, I'm again,
Maybe we should not have done cameras for this one
if
Christopher Mohammed: we're standing up down there
John Deegan: after the week we had, we needed this.
Christopher Mohammed: Mm.
Jim Palmer: All right, so let's go back to, back to, I'm, I'm a, I'm a student at, at a school university K-12. You know, oh, oh, I want to be a high school student, cuz high school students know everything so, I'm a high school student, I know everything, and it's now I'm coming into my second or third year and my certificate is expiring.
Is that, is that also something that Cloudpath can help me with?
Christopher Mohammed: Yeah.
Jim Palmer: Or is that, is, I mean, how do, how do I make sure that my, you know, as, as you know, 17 year old Jim who knows everything
Christopher Mohammed: Yeah.
Jim Palmer: But doesn't actually know squat.
Christopher Mohammed: Right.
Jim Palmer: Is that something that Cloudpath can help me or help you as a school administrator with you don't know.
Christopher Mohammed: Okay. Yeah,
yeah. No, that's, yeah, that's, that's Cloudpath can definitely help with that, Jim. So when your certificate's about to expire, we can actually just let you know, Hey, you know, within seven days or x amount of days, this certificate's about to expire. You can go back through the same onboarding that you did before and go ahead and get a brand new certificate.
And even from a network administrator perspective, you know, if they're, if they're dealing with certificates you know, we could actually say, well, you know, Jim, you're a high school student. You're allowed to onboard, say, two or three devices and you can choose those two and three devices. So, you know, what's the refresh cycle on a phone these days?
Is it every, you know I'm still on my iPhone like, Six s. So you know, and if you think I'm joking, it's, it's, it's right here with me. You know, here's, here's my iPhone six s right? And I'm still using this, this thing and, but the, what's the refresh cycle? Every, you know, new phone comes out and even though it still does the same thing, you gotta get the new one.
So if it's every, say two years or three years you know, that's probably within someone's high school career. I. You know, we can give certificates for X amount of time. It could be one year, two years, three years. It could be, you know, a week. It's up to the network administrator and how they wanna do that.
But if it does get expired or they get a new device, they can definitely go back through the workflow and just re onboard those devices and get a new certificate. And it'll good be, it'll be good for X amount of time. And if they have, The ability to say, Hey, network ability to say, you know, you can onboard, you know, two devices, you choose those two devices they can go back through the workflow and offboard a device or revoke a certificate and then onboard their, onboard their new device.
And, and what's cool about, you know, Cloudpath as well is that if the certificate is actually revoked and it shows up on the network, we can actually let the network administrator know that, hey, that revoked certificate's on the network. Jim came back and you know, Jim isn't allowed, I'm picking on Jim here.
Jim's not allowed on the network for X reasons. You know, he shows up and tries to authenticate, well, let's let the network administrator know and say, Hey, you know, Jim is showing up. He shouldn't be on premise or shouldn't be connecting. Yep.
Jim Palmer: That's a really interesting use case that I'd never thought of because.
I mean, I, I heard a story one time about some students who went to their school and they vandalized it. You know, it was at night or the weekend or whatever, and they figured out who it was based on. They went back to the Wi-Fi logs and they were like, oh, these devices automatically connected. And so if you were to have a student that you had asked not to come back for any number of reasons, most of the time they're not, even though they think they know everything, they're not smart enough to realize that, hey, my device is going to remember the network, and as soon as I see it, I'm gonna try to connect.
And if I haven't did any, if I haven't done anything on my side, then having that, especially an email that says, Hey, this revoked certificate I. Has now appeared with a date and timestamp. That's actually a really, really critical piece of information that school administrators could actually do something with that's an actionable item.
Now all of a sudden it's like, Hey, this person showed up on our campus, and, and we could then go back and say, Hey, it was in this area because this is the AP that they tried to onboard with. So, I mean, it's actually, I didn't, and in today's day and age, that's actually a really good feature.
Christopher Mohammed: Yeah. Imagine trying to catch somebody whose, you know, device showed up as Android X on AP, you know, or Christopher's iPhone.
Right. Maybe there's only one Christopher iPhone. Lots of Chris iPhones probably, but we're gonna be able to catch me.
John Deegan: We're gonna call yours CMOs just because, well,
Jim Palmer: I'm, I'm now gonna change all of my device names to Christopher's, whatever.
Christopher Mohammed: Yeah. Mm-hmm.
John Deegan: I wanna see Christopher's, whatever next time you're sharing a device.
But so, so take, take, taking a little bit of a pivot. So we've got certificates and it's, you know, being able to, to control what devices are on, based on whether they have it or not, is, is, you know, I think everybody kind of knows that. And like Jim said, that's a, a neat feature, but, so what about policies?
How do we control what, you know, what, what's the deal with that? With, with Cloudpath? What can we do with Cloudpath relative to user policies?
Christopher Mohammed: Yeah. So since we're already connecting to that IDP, so we're grabbing information from Google AD, whatever IDP they, they want to use, we'll support, you know,
Jim Palmer: And an id IDP is?
Christopher Mohammed: An identity provider.
Yeah.
Jim Palmer: Oh, okay.
Christopher Mohammed: Yeah, yeah. You got it. Oh, John got that one.
John Deegan: Well, I didn't at first. That was one of the things we, what the hell is context?
Christopher Mohammed: We need like a acronym, glossary to
Jim Palmer: we do
Christopher Mohammed: Just before that's winding things off. And then we'll play some type of glossary. Bingo. On you. We'll side side game this.
Jim Palmer: All right.
John Deegan: So anyways,
Christopher Mohammed: Yeah, so, so, so as that user went through that, that the, the workflow, you know, if they're using certs, I think we've been using cert a lot, but you know, we could do MAC based authentication, DPSK, you name it. Yeah, yeah, yeah, yeah. But, but, Yeah, I don't, I don't disagree with your grunt there, Jim.
But, so we're using certs or DPSK or something else you know, since we understood that user and grabbed things like user groups we can go ahead and base policies on that. So if you wanted to say, Well, you're a student. You belong in your, you know, this vlan when you're at this location or at these hours or you have these certain ACLs or filter IDs, or if you want us to pass that information up to say, your, your firewall cloud Cloudpath can do that, right?
So as you've, Jim, you've onboarded, you know, two of your devices. And let's say you use certs on one of them, and then you use something like a RUCKUS dynamic pre shared key. On your other one cuz it's you know, a gaming device in your residence. We can go ahead and, you know, we understand that it's Jim's device and we can go ahead and build a role based on that or you can provide a role based on that.
And that could be VLANs could be speeds and feeds could be one of the 5,800 different RADIUS attributes that we provide. Cloudpath can return those for all those devices based on Jim's identity.
Jim Palmer: Now is that, are those policies that are built on the I D P or are those policies that you build in Cloudpath?
Christopher Mohammed: Yeah, they're all policies built in, built in Cloudpath based on information from the IDP. So if you had, you don't have to go.
Yeah, go ahead. Sorry.
Jim Palmer: So if you had an, if you had, I mean, and I don't know enough about IDPs to be honest with you, but I mean, could you have a role, you know, a, an the student teacher, administrator, you know, whatever type of role, if, could you have that defined in your I D P already?
Christopher Mohammed: Yes, you can define that in your IDP, but what Cloudpath will do is understand that information and then pass back whatever attributes you want for that role to your switch, to your access point to whatever method you're connecting to.
Jim Palmer: And of course, that leads us into another topic which we 100% do not have time with, which is microsegmentation.
Christopher Mohammed: Are you cutting me short? Is that what
John Deegan: No, no, no, no.
Christopher Mohammed: Like Christopher, you're a lot for 15 minutes already.
John Deegan: No, no, that'll be, that'll be a whole nother topic for a whole nother show.
Jim Palmer: But no, we, we, yeah, I mean, the problem with, I mean, the reason why I don't want to go into that is because it it, I mean, we could literally spend 30 to 45 minutes just on that topic, so
Christopher Mohammed: Yeah. Yeah. It's a great topic.
Jim Palmer: But, I mean, but that's, that's. So they, you, you sort of build those in your IDP, but then you tell Cloudpath, Hey, from a network perspective, this is what it means when we return. This is a student.
Christopher Mohammed: Yeah. You got it. So, so imagine within, let's just take let Active Directory, right?
So you're a member of the student group, right?
Jim Palmer: Right.
Christopher Mohammed: So as you've onboarded your device, We understand that Jim is part of the student group, so Cloudpath will understand that. You know that group name for Jim is student versus John, who is, you know, a teacher. Maybe he's member of the faculty group.
Yeah. John's very happy with this.
John Deegan: That is actually, that is actually my degree.
Christopher Mohammed: Yeah.
Oh, is it really? Yeah. No, that's pretty cool.
John Deegan: That's scary actually. So,
Jim Palmer: yeah, yeah, yeah.
Christopher Mohammed: So, so, you know, as, as John onboards his device, you know, Cloudpath to understand that he has that group membership. Now when John goes and heads and uses, uses his devices on the network, either plugging wireless, whatever it's gonna be we'll understand that John is a teacher.
We'll understand that Jim's a student, how you've defined that role within Cloudpath. Maybe, you know, John's filter ID is, is faculty. He gets these ACLS pushed down to he's allowed to access these things or not. Cloudpath will do that for you. Same as you, Jim, as you're a student and you're using those devices on the network.
Basically, your, your, your, your role-based access, your policy is essentially tagged to you and your devices. So we understand that John has these roles and these responsibilities, and he's using it on those devices. We'll tag those devices owning to John and his. Hierarchical of membership is faculty versus Jim who's using, you know, his devices, they're tagged as a student and you know, these are his roles and responsibilities as well.
Jim Palmer: So I have a question.
Christopher Mohammed: Hmm.
Jim Palmer: You mentioned also interacting with firewalls. So is, as me being the student and. If I were to try to say, get online and say, Hey, I want to search for, you know, weapons. Is that something that is, you're saying this policy can be actually sent to the firewall where he goes, oh, Jim, as a student, shouldn't be allowed to research weapons.
But John is a, as the faculty would?
Christopher Mohammed: Oh yeah, that's right. So those roles and those responsibilities, we can definitely forward to the firewalls through through some proxy through proxy. So you can build your rules out within those other mechanisms,
Jim Palmer: Right.
Christopher Mohammed: To say, Hey, look, we know that Jim is a student.
You know, he's, he's allowed access to things. He's not allowed to access these things, and you can have as many roles as you want. So you could say, you know, if you're in a k, K to 12 environment, you know, maybe the upper schools are allowed, or upper classes are allowed to. Grades are allowed to access these things.
While the lower grades are not, we definitely can send all that information up to those firewalls as well. There's also, within Cloudpath, there's also the ability to install third party CAs. So a lot of these content filterings that are using, being used in you know, K to 12 environments, they do require a certificate also to be installed on those devices.
Within Cloudpath. We can actually roll all that into the package for, for those devices. So as Jim, you onboard your device and you need that content filter certificate. We can actually roll that into the, the package as well and deploy that on your device so that not only will you get your identity, but you'll also get a content filtered certificate.
To be trusted as well. So
Jim Palmer: Interesting.
Christopher Mohammed: Very interesting. Yeah, it's really, you know, Cloudpath is, you know, originally it was like secure onboarding, but there's just, you know, so many different features that are available within the product and we're still talking maybe about, you know, 15% of the features of, of that product.
And, you know, I've been a, an SE previously. And I would always show Cloudpath up and there'd be, you know, like 15 different features that would, that we would talk about. We're talking about maybe two, two or three of those features of that, of that product.
John Deegan: Cool. So if I was to deploy Cloudpath and I wanted to know how it was performing, what it was doing, how it was working, is there any sort of metrics.
Christopher Mohammed: Yeah, that's yeah, we have metrics within, within Cloudpath as well. So within Cloudpath we've got this great feature called traffic monitoring, and you can get a year worth of, of data in that. So and you can be as granular as minutes or as macro as as a year. And they are things like RADIUS Auth.
How many people have accepted the AUP accounting informations. All, all that is available within Cloudpath. But also things like identity and Auth roles, all those things can be passed up to something that we call RUCKUS Analytics. So what's really important about Cloudpath is, is. I think that says R Jim, which is maybe some type of pirate language.
I'm not sure.
John Deegan: R
Jim Palmer: I'm trying to write backwards.
Christopher Mohammed: So
Jim Palmer: Sorry.
Christopher Mohammed: What's great about Cloudpath is okay, we can give those identity, but if, you know, if you want to figure out. You know, our connection tracking or analytics anything that's happening in terms of incidences, we can enrich that information upstream and say, well, look, you know, Jim is misbehaving, or maybe Jim is fine.
Yeah. Or, or John. Oh, you gotta flip it around. You gotta mirror it, John.
We can enrich that information that we're sending up to, not just firewalls, but our own analytics platform, saying, no, if you wanna look up all of John devices now, you're not just looking at a Mac address. You can type in, you know, His identity, which is John something or another. And then you'll get a list of all of, of, of Mr. Deegan's devices that are available. Are they beha behaving fine? Are they behaving poorly? Is there any risks associated with them? Is he connecting to the right network?
Jim Palmer: So
Christopher Mohammed: Yeah, go ahead.
Jim Palmer: So his, I, his identity actually populates up to, to like a RUCKUS Analytics?
Christopher Mohammed: That is correct.
That is correct.
John Deegan: Pretty cool.
Jim Palmer: Oh, that is, that is nice. I didn't realize that, that, that. And that's a key field, especially for people who aren't networking nerds. They're like, I just want to know what is, what is John or what is Jim? Cuz we know John's perfect. What's Jim? You know,
Christopher Mohammed: What is, what is Jim?
Jim Palmer: What is Jim?
Christopher Mohammed: Yeah, that's another podcast.
Podcast. We're gonna call that one. But if you look at
Jim Palmer: Yeah,
Christopher Mohammed: Go ahead. I'm sorry.
Jim Palmer: No, but so that, that, that. Identity.
Christopher Mohammed: Yeah.
Jim Palmer: That we all, we all know then populates up to where it now becomes something you can search in an, in an analytics.
Christopher Mohammed: Yeah. Imagine, you know, going to your top talkers and just seeing a Mac address.
I mean, such a, such a, what does this actually mean? Right?
Jim Palmer: Yeah. It doesn't, nothing.
Christopher Mohammed: Yeah, exactly. So now, now we can say that hey, Jim's, Jim's device is, you know, performing bad in, in some sort of way within an analytics. Right. You can actually go ahead and. Get that information from analytics and then maybe do something about it.
Maybe you do revoke Jim's access, you know, or maybe you just revoke Jim's access for that one device and then when Jim onboards it tries to go ahead and re onboard his device, you know, send a message over to administrator saying, Hey, Jim's trying to onboard that advice again. Or send an API call to a third party system.
Or you know, even give Jim messaging saying, Hey, this device is banned. You're not allowed to onboard this device. It's being alerted prepare for incoming titan fall or, or something. You know, lots of different ways to, to approach that too.
Jim Palmer: I, there's so many different questions I want to ask right now.
Because this is just fascinating to me because in the world of that we live in today, you know, if you had a device that you could detect and be like, Hey, we think this device is actually infected with a malware or something because it's, you know, it's doing some weird stuff that, you know, we don't, you know, is a flag, right?
Be like, Hey, it's trying to communicate with, you know, Russian servers or is trying to communicate with some, no, this is a, this is a true story. This happened to me one time where they, we figured out a device was infected by the DNS names that it was looking up.
Christopher Mohammed: Mm-hmm.
Jim Palmer: It said in all these DNS queries to some, yeah.
Really shady, you know what I mean? Websites you would never
Christopher Mohammed: Crypto mining.
Jim Palmer: Well, either Crypto went, no, they were, they were command and control servers based in Russia. They were .RU web addresses, and it was like, wait a second. We're like, there's no device on this network that should be talking to a server in Russia.
So yeah, so at that point you could then actually say, you could send a message and be like, Hey, we think you, there's a problem, you know, with your device. You then kick it off the network and when they try to come back on, you could sit, basically send 'em and say, Hey, go talk to IT, or go talk to somebody because you have a problem on your device that we need and we don't want you getting on there and spreading malware.
And so, yeah. That's, that's a really fascinating use case that I really wish we had more time to talk about, but
Christopher Mohammed: I had that, you know, many, many moons ago as a network administrator and, you know, I, I remember a teacher, faculty, there was a one classroom that was just performing some massive dos attack to us, and it was basically flooding our FDB.
This is many, many years ago. And, you know, switches forwarding database would just be full of and hit, hit the limit and then that would just cascade through it. And I was able to figure out, you know, which which port was causing, causing this. And you could, you could, you know, down, down that port, which is fine.
However, they just go plug somewhere else in and, and now, and you're just, you know, we were at the mercy of looking up a MAC address. I figured out what that device well actually it was really hard to tell cause it was just a bunch of entries in it. But you could tell what port it is, but you couldn't tell who the user was.
You know, I look at something like Cloudpath, if I had that identity. The problem would be solved immediately. Right? Meanwhile, that that faculty member would unplug his device and then just show up somewhere else. And here we are, you know, bug hunting it, bug hunting, that stuff, that stuff out. And it, it turned out to be a an antivirus program that he downloaded off the internet, which was basically just malware and just wrecking our lives for, you know, a couple of days. And then once I, once I found it and he just admitted it to me, I was just like, you gotta be kidding me, my friend. This is not, this is not great. But those yeah, those were fun.
John Deegan: I mean, having dealt with it before, I mean, getting everything in a single pane of glass to be able to tie all the identities together. I mean, sometimes it's, it's crazy stories like that. And sometimes this is simple cert expired and they didn't realize it. And in, in past lives you'd have to go look at it a couple different logs to realize, okay, that's the MAC address, that's the error.
They need a new cert or their password on,
Christopher Mohammed: yeah, let me, let me go let me go search in Syslog across.
John Deegan: So any, and I mean, you know, as you get the proliferation of devices and users, I mean, it's not a 200, I mean, you get two, 200 users, you could have a thousand devices. Yeah, yeah. It's not it, it's, it's definitely anything that we can do to help, you know, troubleshoot and improve the network is great.
And that's, I think we just, we're just hitting the tip of the iceberg with, with Cloudpath. So, I hate to say this, but we're gonna have to have you back a few times.
Probably
Christopher Mohammed: You hate to say it or like, ouch.
John Deegan: You're gonna become like our third cohost. Yeah.
You guys, we don't
have anything else to talk about.
We're just talking about Cloudpath.
Jim Palmer: There you go.
Christopher Mohammed: You guys are gonna get real Just to me real quick. Let's
John Deegan: I doubt that
Christopher Mohammed: Same jokes every week. This is what's gonna happen. Hopefully we get new listeners every week and they'll be okay with it.
Jim Palmer: There you go.
John Deegan: I hope so.
I think that's it for now. Jim, unless I'm missing something, I hate to cut it short, but
Jim Palmer: I we, well, we've, there's, so like you said, there's still so much that we could talk about and I want to talk about, cuz it really is an interesting, fascinating topic.
So Christopher, hopefully you'll agree to grace us with your presence again in the future and
John Deegan: Next time we won't have video.
Jim Palmer: Oh, right. We might actually stay on topic, but no, thanks for, thanks for coming. It's been very fascinating, so thank you.
Christopher Mohammed: Yeah. And thanks for not yeah, thanks for having me and I really, I really appreciate it.
I was gonna make some really bad joke there, but we'll just end it at this.
John Deegan: I guess that's my cue to hit the music and send this one home. All right, thanks guys. Have a great one.
Christopher Mohammed: Cheers.
Jim Palmer: Thanks,
Christopher Mohammed: You as well. Thank you.