Reply
Frequent Contributor II

RAP2 and security

Hi,

I am looking at the feature of extending the corporate SSID to the home but would like to understand a couple of security concerns.

Our current Enterprise wireless uses WPA2-Enteprise with MSCHAP (windows username/password) authentication.

1. If this SSID is extended to our corproate users home, how can we stop users connecting from home using their own PC's ?

2. I thought of using a rule to check if the PC was in the domain, but then I am thinking that this would stop employees connecting with ipads etc.

How can I set this up correctly ?

Thanks
Guru Elite

Re: RAP2 and security

Either use "Enforce Machine Authentication" or use EAP-TLS (client-side certificates).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: RAP2 and security

Hi,

Thanks for the quick response.

As this setup is an evaluation of Aruba, I don't want to change anything on the client side if I don't have to. I realise that EAP-TLS will solve this issue.

Could you elaborate a bit more on what "Enforce machine authentication" is, how/where I enable it, and how this change would impact the user authentication experience when at home.

Regards
Guru Elite

Re: RAP2 and security

Please examine the thread here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2915


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: RAP2 and security

Hi,

Thank you for the link, that is very helpful. I think I understand how it will work, but there's one thing I'm not sure on though.

This statement

- Default-Machine-Role = Whatever you want a computer with no user logged into it to have access to. I would suggest allowing communication to the domain controller, DHCP, DNS, and the like so that when the user does log on, they can run scripts and the like.
- Default-User-Role = Role for NON domain devices with domain users
- Default-Dot1x-Role = Role for domain devices with domain users

If my employee logs in with their home PC (no mac-address in the internal DB), I understand they will be placed in the - Default-User-Role. Is this correct ?

I understand that this will be the same role as my employee ipad users.

Is there a way to differentiate them, becuase I want my ipad users to have full access, but I don't want my employees to have any access with their own PC's.

Thanks
Guru Elite

Re: RAP2 and security

When using this method here are your options:

- Default User role - Device that ONLY passed user authentication (this will apply to all devices, such as 3rd-party handhelds, etc and domain machines that have NOT passed machine authentication)
- Default Computer Role - Device that has ONLY passed machine authentication (you want this to be open as possible, because it represents your domain machines)
- Default 802.1x role - Devices that passed both user AND computer authentication (represents your domain machine, but someone is logged into it).

If you turn on Enforce machine authentication, you basically have no access, devices that have machine authenticated and devices that have NOT passed machine authentication.

You should probably run another SSID primarily for handhelds and give it limited access.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: RAP2 and security

Ok, got it, I understand.

So thinking kind of laterally here, what if I enabled "Enforce Machine Auth" and then had my ipad users authenticate using EAP-TLS, with a certificate delivered via Amigopod for example, keeping it all on the same Enterprise SSID

Could I then have employee/corp PC in the same group (or group with similar access) as the EAP-TLS authenticated ipad employee, and my employee/personal PC user in a spearate locked down group.
Guru Elite

Re: RAP2 and security

How you would do that:

You would have the ipads authenticate via EAP-TLS like you mentioned and the radius server would send back and attribute. You would have employees continue to authenticate via PEAP and have that remote access policy on the radius server send back an attribute to differentiate them fromt the ipads. The controller would see different attributes from the radius server and put them in a different role, and even possibly a different VLAN, if you wanted.

In short, yes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: RAP2 and security

Ok, thanks a lot, gonna see if I can get this working.

Cheers
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: