Enterprise Lockdown

Reply
Guru Elite

Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How

Team:
I know I already have a post asking how to keep employee laptops off of guest networks here: https://edge.arubanetworks.com/forum/keeping-employees-guest-wireless-ne... This post is asking about the reverse:
I have a user who is using Aruba for 802.1x in a Windows environment for employees, and all is fine. However, with the advent of the Iphone, Ipod touch and the newest Blackberries, it is very simple to attach to an 802.1x network with an existing Windows username and password, and gain access to the employee network with an unsupported device. The user is looking for a permanent solution to manage this, but for now he is:
(1) Enforcing Machine Authentication - Making sure that a device passes domain User as well as Machine credentials before the device connects to the employee network.
(2) If the device ONLY passes user 802.1x authentication, the user is switched to the guest role, which has the guest VLAN also hardcoded. Iphones and blackberries get easy guest access on the guest Vlan and encryption if a user has valid domain credentials.
(3) The user is also resorting to putting the MAC address of the user in the user's AD account, so the user can only connect with his domain credentials if he is currently on the wireless device assigned to his MAC address like here: http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
Can anyone else comment on their approach to this issue?
Thanks.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How

Well, what I had planned to do was to create a MAC acl and block Apple MACs using the wildcard feature and assignment to a user role.

However, I didn't move forward with the plan because, from what I understand, MAC ACL can only function when applied to a controller port and not to a user role (although it doesn't NOT allow you to assign it to a user role, it just doesn't block only logs hits to the ACL)

I can say for sure that the MAC ACL works on the port...Before production I did attempt to use the MAC ACL on the port but failed specify "allow any" after the deny statement for the list of MACs... Which is funny, because it made me to take a drive to the data center to power cycle the controller.

Other than that I figured it wasn't worth the effort since we have mac laptops using our guest wireless network.
New Contributor

Re: Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How

Our biggest problem is that even enforcing machine authentication the mac-address is sent in control frames as a part of the 802.1x standard.

An attacker can sniff those frames and get the mac-address of a valid station, since machine auth all the aruba does is stick the mac-address in an internal database until your timeout expires external attackers and internal abusive employees can just sniff the mac or pull it off a valid station and use it to get on the system.

Your only real option is a full NAC solution, Cisco NAC, Aruba ECS, Windows Server 2008 NAP+NPA etc to challenge the machine and validate its a company asset as well as validating the user. The only real question is what does your industry require and what are you regulated by and how much money do you want to spend on it.
Guru Elite

Raise the Bar

Employees who are willing to spoof mac addresses to get online probably have other issues or have a great deal of time on their hands.

If an employee just simply wants internet on his personal machine, you can make it so that the user authentication default role switches users who have not machine authenticated to the guest VLAN and authenticated guest role so that they can get on. This means that if I have an iPhone and I authenticate successfully to the employee SSID, I will get free internet in exchange for my employee username and password. I will have full access to the internet, on the guest VLAN, but Zero access to the infrastructure. You can also prevent ARP spoofing so that users who try to get on with another user's MAC address while the user is on, will be denied. You can also decrease the machine authentication cache timeout so that those entries can be removed sooner rather than later, so the window to attempt mac spoofing is even smaller. You can also only permit wireless authentication to users in particular groups in IAS, so that unauthorized users will not be able to get on with ANY device. For users that you think engage in the practice of spoofing their mac address, you can also tie a wireless MAC address to their active directory account like here: http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx You can also switch to EAP-TLS so that users will have to have a valid company-issued certificate before they can connect with a device.

If you have Airwave and you suspect that a user is mac spoofing or a device has been spoofed, it is very easy to run a report to see if that activity is taking place and you can remove that user from the wireless group that is allowed to connect.

Enforce machine authentication is only a single tool out of several that administrators have to enforce access on the wireless network. The more tools that are used decreases the likelihood that unauthorized users or devices will be able to connect to the wireless network with unauthorized devices.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How

would limiting the number of simultaneous logins on the radius server and or passing an attribute for blackberry MAC to put in a deny all role help ?
Occasional Contributor II

MAC Wildcard bits

I am testing adding a MAC address policy....on the 3000 controller
For example filtering the Iphones from the guest network

00:1b:63:ee:xx:xx is the iphone mac block

I can't figure out what value to put in for Wildcard Bits.
I've tried 00:1b:63:ee:00:00 with 32, 24,16 and other. No good.

What is the correct number of wildcard bits for this?
Guru Elite

Whack-A-Mole

iPhones have quite a few different OUIs. It would be a very frustrating endeavour to block them in that manner.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

MAC Wildcard bits

I understand that managing all the variants of macs can be teadious.

However, for entering the Wildcard bits....

I can't figure out what value to put in for Wildcard Bits.
I've tried 00:1b:63:ee:00:00 with 32, 24,16 and other. No good.

What is the correct number of wildcard bits for this?
New Contributor

Blocking Apples

I am attempting to do the same thing. Did you ever find a solution?
Occasional Contributor II

Re: Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How

Our easy solution was to only give control to create guest accounts to our security department and a few on my communications team.
On top of that I have created a separate network for iphones, ipads, etc. Users that want access to this have to put in a request with our communications director.
Once the request is approved then they are added.

There is no captive portal and devices are authenticated via MAC address.

Realizing that MAC addresses can be spoofed, our users are not that smart....however, we have implemented access lists and bw controls on the network we opened up.

This keeps people a little more honest.
While it may not be a technology driven solution, you'll be surprised at the behavior changes I have seen with the IT personnel using the wireless network now that they can get on without being sneaky.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: