Security

Reply
Guest Blogger
Posts: 149
Registered: ‎12-04-2012

Identify Domain Devices

I want to make sure I'm not missing something. I need to identify and only allow domain devices on a wireless network. The only real way I can make this happen with 99.99% certainty is via:
 
Certificates (EAP-TLS)
MDM (Mobile and Laptops)
Agent (inspect the reg for example for domain info)
 
Am I missing any other way ?

 

 

 

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: Identify Domain Devices

Machine Authentication (either TLS or PEAP-MSCHAPv2)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guest Blogger
Posts: 149
Registered: ‎12-04-2012

Re: Identify Domain Devices

Hey Cap! 

 

Well PEAP really cant tell its a domain device, right ? Its just logon / password, unless PEAPv2 is used (TLS). Or am I missing something ..

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: Identify Domain Devices

[ Edited ]

Every domain computer has a machine account. Non-domain machines do not have a valid account.

When you see the device authenticate to the network with host/device-name.domain.com, this is a machine authentication.

The credential can be either a certificate or password. Active Directory can issue certificates to each domain computer automagically.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guest Blogger
Posts: 149
Registered: ‎12-04-2012

Re: Identify Domain Devices

Right right right .. via the AD SID. Any other ways you can think of ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: