Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Not allowing non-corp devices

This thread has been viewed 0 times

  • 1.  Not allowing non-corp devices

    Posted Feb 26, 2013 05:10 PM

    I think the best way to do with would be eap-tls, but setting that aside for now…

     

    We are using eap-peap. The radius server is configured to allow if the machine or user is a member of the respective AD groups. What I am wanting to accomplish is make it more difficult for non-corporate devices to connect to this SSID. As it is now, I can connect my Android if I supply my AD username/password. I don’t know how to do this, but I thought I had read that it is possible to allow or deny by detected device type, but that makes me a little nervous because the controller identifies some laptops as iPods. I’m not sure if the best way to accomplish this is at the controller or at the radius server (2008 R2).

     

    Thanks for your assistance.



  • 2.  RE: Not allowing non-corp devices

    Posted Feb 26, 2013 05:36 PM

    Hi.
    Good night. :smileyhappy:

    As far as i see your issue - you got two options:

    1. Using ClearPass

    Capturecppm.PNG

    Info:

    http://www.arubanetworks.com/products/clearpass/

     

     

    2.DHCP Fingerprint.
    You may enable DHCP FINGERPRINT use on your AP-GROUP/VAP (In your controller) - if you will configure it right -it will block from connecting android/apple/other smart mobile devices to your  enterprise 802.1x ssid.


    You will just have to fingerprint all the unwanted device type - and give the a no service user role.

    Start reading here:
    http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/COTD-DHCP-Fingerprinting-how-to-ArubaOS-6-0-1-0-and-above/td-p/11164
    http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Some-more-DHCP-FingerPrints-Enjoy/td-p/37680

     

    Also read the following link:
    http://www.arubanetworks.com/wp-content/uploads/AOS-DHCP-FingerPrint-AppNote.pdf

     

    more reading how-to:
    http://pbsplaza.nl/?p=238

     

    that....what i have to offer as a solution to your question/issue.

     

    Have a lovely week.

     

    Me



  • 3.  RE: Not allowing non-corp devices

    Posted Feb 26, 2013 08:20 PM
    Leaving EAP-TLS out of the equation, and relying on NPS as your RADIUS server, you could enable 'enable machine authentication' in the dot1X profile. This gives you the option of supplying different roles for devices that pass only user authentication, only machine authentication, and for tose that pass both. This is done by the controller caching the MAC of successful machine authentications, then comparing this list (in internal DB) when a user authenticates to determine which role to apply. You can also add devices that are not domain joined by adding the MAC to the internal DB.


  • 4.  RE: Not allowing non-corp devices

    Posted Feb 27, 2013 10:01 AM

     Do you have corp owned phones? Are you going to allow them access to the wifi? Are they part of the domain? 

     

    ClearPass is going to give you the most control over allowing access based on device, who, where and how they connect. 

     



  • 5.  RE: Not allowing non-corp devices

    Posted Mar 01, 2013 06:21 PM

    It looks like I have two options, clearpass is out and DHCP fingerprinting while doable seems complicated with more probability of issues. Plus our environment is pretty basic. We only have machines in the AD that we want to connect to the corporate SSID, no phones or non AD aware equipment.

     

    First option seems the most straight forward. I have tested this so far with only a few laptops, two of them XP. First it appears that XP behavior is to authenticate with machine credentials then user once user logs in, and there is no option to change to computer only without a reg entry addition: http://support.microsoft.com/kb/309448. Windows 7 has options in the wireless config for user, computer, or user and computer. I applied that change to my test XP machines. Then I removed from our radius server the user group from the radius condition so that it only contains the OU for machines. We have an GPO that configures all the machines for the proper SSID and set them to computer only (the computer only does not affect win XP). Once this is done all the test machines will authenticate and are visible on the controller as host\machine_name before any user has logged in, and stays that way once a user logs in.

     

    The other option would be to follow this tread: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-Machine-and-User-Authentication/td-p/8886 which I plan to test also. What I don’t like about this is that there seems to be a possibility of disconnects if a user stays logged into a machine for longer than the MAC hold time.

     

    I’m leaning toward option 1.