ArubaOS and Controllers

Reply
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Keeping Mac users off campus 802.1x SSID

What is the best method for blocking users with Macs from getting onto a campus SSID using 802.1x?

An SSID was created for the school owned Windows machines that uses 802.1x authentication. Group policy is used to push out wireless profile, certificates, and valid CA servers to the Windows domain machines. The school owend Windows machines work fine. However, students owned Macs are able to connect to the SSID with just user credentials. The students with Windows machines however cannot. I could enforce machine authentication from the controller but how do I handle the iPads they have configured to use 802.1x with the iPhone configuration utility? The utility allows configuring the wireless profile and importing of the server certificate for secure connection but how is it the student owned Macs can get by?
Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Keeping Mac users off campus 802.1x SSID

Well,

I would first create a role that only allows DHCP and call that "DenyAll". I would create a user derivation rule looking for the DHCP option of Windows 7 devices, Windows XP devices and Ipads and put them into an "allowall" role.

Next I would make the default 802.1x role for the AAA profile that SSID that "DenyAll" role that only has DHCP. I would also attach the user derivation rule to that AAA profile.

Here is how it should work:

All devices get a DHCP address, so we can do the fingerprinting, initially, but we move Windows 7, Windows XP and Ipads into the allowall role. All other devices stay in the DenyAll role; even though they get an ip address, they cannot go anywhere.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Keeping Mac users off campus 802.1x SSID

What if the school buys some Mac books and wants to put them on the school SSID? I would need to differentiate between the school owned Mac book and the student or staff owned Mac book.
Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Keeping Mac users off campus 802.1x SSID

The big question is, how do you want it all to work? Many users start off insisting that they do not want non-company owned devices on their network and they create long lists of mac addresses allowing those devices on. Others will allow all devices on and struggle to decide what network differences should exist between a company-owned device and a regular user device. Most come to the realization that it is more important that a device be restricted by WHO is logged into it, rather than the OS, or if it is company-owned.

If you speak to your local Aruba Engineer, they can come up with a comprehensive strategy, based on your individual requirements. It would be interesting to hear what other users are doing.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: Keeping Mac users off campus 802.1x SSID

I am seeing similar requests coming from my education clients as well.

It seems to be a case of they don't want personal devices on the network but don't really know why.

At the same time they are asking for company iphones to be allowed in but personal iphones not to be allowed in.

makes for a hard solution when there are so many variables and so little distinction between personal and business iphones.

scott
Frequent Contributor II
Posts: 118
Registered: ‎02-10-2011

keeping certain devices off the wireless net

There are several different ways to do it I suspect. One way that seems to work ok is to use 802.1x with machine and user authentication through active directory. Users can only get on the network if they have a windows workstation object in AD and an AD username/pwd. This prevents both non windows devices and personally owned windows devices from connecting.

Ok now the fun - in most cases you will hit the scenario where a corporate owned MAC computer or ipad or iphone or other non windows device needs to connect to the wireless network. Setup a separate SSID from the one above and set this one to use machine authentication (i.e. mac address) and 802.1x again with AD username and password. This SSID allows you to connect only if your mac address has been added to the controller and you have a valid AD username and password.

It works well as long as you don't need 1000's of non windows devices to connect. I say that only from an operational perspecitve. It's not much fun entering mac addresses. You can enter a lot at once via the cli and a basic text file but entering a couple at a time multiple times a day would be bothersome :)

Hope that helps
Search Airheads
Showing results for 
Search instead for 
Did you mean: