Security

QuickConnect Client can be downloaded to a client machine after successful Web Auth, but if a client copies this one file, they can run it on any workstation and it provides them with full internal access on any machine.  It seems like the whole TLS Cert and/or AAA info is being saved and can be run from anywhere.

And suggestions on how to prevent this from occurring?

Mslan,

What OS is this?  Like Vfabien is alluding to, the mac address of the client could be installed into the certificate and that can be checked against the calling-station-id of the host machine during EAP-TLS authentication to stop this.

I have attached screen shots of the three Services regarding OnBoard.  The Provisioning shows the Auth and Enforcement Policy/Profile.  The Pre-Auth and Auth show the Authentication, and both have an "accept" as enforcement profiles.

And the OS this is happening on is Windows, both 7 and 8.

Where can I set the "calling-station-id" attribute to be recorded and pushed down with the cert, then checked against upon TLS Authentication?

It should be done automatically.  Look in the Access Tracker for a Windows onboarded device that authenticates via EAP-TLS and see if you see mdpsmacaddress as a radius attribute.

I do see the attribute in the Access Tracker, as shown above.  But how can I restrict the QuickConnect Client from being run on another machine?  

What would be the proper "Operator" to set the "RADIUS: IETF:" and "Calling-station-ID".  Exists? or "Belongs to..."?

Mslan,

Let me make sure we are talking about the same thing.  I just onboarded a Windows Computer and When I look at the device certificate in Onboard, this is what I see.  Below is the wired and wireless mac addresses.  Let me know if you see that in your certificate:

When I authenticate, this is what I see in the Access Tracker under "Computed Attributes".  Please let me know if you see that, as well.

Yes, I am seeing the device's MAC Address in both the Access Tracker and Guest Manager, as shown below.  

But I can still download and install it from the first PC, then I can copy it over to any other PC, run the QuickConnect Client and it installs everything, without prompting for credentials, or stating that the calling-station-id or mdns-mac-address already exists.

Any suggestions?

Thanks,

Both Access Tracker shows the Certificate Mac Address, and there is an OnBoard Cert, also showing the two mdnsMacAddresses.

All appears correct, but I was still able to download and run the QuickConnect client on the first PC and all authenticates and OnBoards properly with EAP-TLS.

I then copy the downloaded QuickConnect client to another laptop, run the executable, and it logs me in, generates a new cert and authenticates with EAP-TLS.

Any suggestions?

Mslan,

Please delete that quickconnect.exe file from the computer.  Go to Onboard> Deployment and Provisioning> Provisioning settings and set the Maximum Devices to 1, and then try to re-onboard that device: