Wireless Access

Reply
Frequent Contributor I

Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

How to prevent the Apple ios and android device connect to the SSID with the 802.1x authentication?  Only joined domain windows laptop can connect to the SSID with 802.1x authentication and none joined domain windows laptop was not able connect to the SSID with 802.1x authentication. 

 

 

802.1x authentication is use Microsoft AD. 

Guru Elite

Re: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

You can configure the domain machines to only use computer authentication using group policy.  The page here:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx tells you how to do that.

 

On the remote access policy in NPS, you would only allow users in the Domain Comptuers group.  That would mean that only domain machines would be able to connect with their computer/machine credentials.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

Beside configure through group policy, have any other method to configure it? Because my customer want to avoid configure through group policy. It is possible configure it on Microsoft RADIUS server itself?

Guru Elite

Re: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

The only way is to have Windows machines use Machine Authentication.  You would then have to change your remote access policy on NPS to only allow authentication from the Windows Group "Domain Computers".

 

You could alternatively use DHCP fingerprinting to give WindowsXP and Windows 7 computers a different role when they connect, but all of the non-Windows devices would have to obtain a DHCP address to be able to do the fingerprinting.  Android and Apple IOS devices will still be allowed to partially connect to do fingerprinting.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

I had try add the Windows Computer rule under Windows Group "Domain Computers", but it was failure to authenticate user account. Under Windows RADIUS server (Windows 2008 R2)  Event Viewer error message was invalid user account. I also got try add Machine Group and User Group policy with combination of this 3 policy vice versa also can't work. Computer also can't get IP address from DHCP server.

 

It only can get authenticate was remove above all policy and just only add below policy, then it can work.

 

If i add Policy under Gateway " NAS Port Type, Wireless - IEEE802.11 or Wireless other" policy, user able to get authenicated.

 

Initial logon role is "Logon-Control"

 

Default 802.1x authentication role is "Authenticated"

 

About the DHCP fingerprinting not suitable for my customer environment because they want to prevent the personal device such as laptop (windows machine), smartphone and tablet connect to the Staff SSID (802.1x authentication). 

 

It is have some setting i miss up? Please advise.

 

 

 

 

Guru Elite

Re: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?


jordontin wrote:

I had try add the Windows Computer rule under Windows Group "Domain Computers", but it was failure to authenticate user account. Under Windows RADIUS server (Windows 2008 R2)  Event Viewer error message was invalid user account. I also got try add Machine Group and User Group policy with combination of this 3 policy vice versa also can't work. Computer also can't get IP address from DHCP server.

 

It only can get authenticate was remove above all policy and just only add below policy, then it can work.

 

If i add Policy under Gateway " NAS Port Type, Wireless - IEEE802.11 or Wireless other" policy, user able to get authenicated.

 

Initial logon role is "Logon-Control"

 

Default 802.1x authentication role is "Authenticated"

 

About the DHCP fingerprinting not suitable for my customer environment because they want to prevent the personal device such as laptop (windows machine), smartphone and tablet connect to the Staff SSID (802.1x authentication). 

 

It is have some setting i miss up? Please advise.

 

 

 

 


That is right:  No users accounts are allowed, because it is expecting authentications only from domain computers, which submit their username as "host/<hostname>".  The only way you get them to submit their machine name, instead of the user logged in, is either via group policy, or edit the registry on that computer:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx  That is how you would do it from the NPS side.

 

You can also enable "Enforce Machine Authentication" from the Aruba Controller side to keep non-domain devices off the network:  http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Machine-amp-User-Authentication-iPhones-getting-online/m-p/1638/highlight/true#M18

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: