02-26-2013 02:10 PM
I think the best way to do with would be eap-tls, but setting that aside for now…
We are using eap-peap. The radius server is configured to allow if the machine or user is a member of the respective AD groups. What I am wanting to accomplish is make it more difficult for non-corporate devices to connect to this SSID. As it is now, I can connect my Android if I supply my AD username/password. I don’t know how to do this, but I thought I had read that it is possible to allow or deny by detected device type, but that makes me a little nervous because the controller identifies some laptops as iPods. I’m not sure if the best way to accomplish this is at the controller or at the radius server (2008 R2).
Thanks for your assistance.
02-26-2013 02:35 PM - edited 02-26-2013 02:42 PM
Good night. :smileyhappy:
As far as i see your issue - you got two options:
1. Using ClearPass
You may enable DHCP FINGERPRINT use on your AP-GROUP/VAP (In your controller) - if you will configure it right -it will block from connecting android/apple/other smart mobile devices to your enterprise 802.1x ssid.
You will just have to fingerprint all the unwanted device type - and give the a no service user role.
Start reading here:
Also read the following link:
more reading how-to:
that....what i have to offer as a solution to your question/issue.
Have a lovely week.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
02-26-2013 05:20 PM
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
02-27-2013 07:00 AM - edited 02-27-2013 07:52 AM
Do you have corp owned phones? Are you going to allow them access to the wifi? Are they part of the domain?
ClearPass is going to give you the most control over allowing access based on device, who, where and how they connect.
03-01-2013 03:21 PM
It looks like I have two options, clearpass is out and DHCP fingerprinting while doable seems complicated with more probability of issues. Plus our environment is pretty basic. We only have machines in the AD that we want to connect to the corporate SSID, no phones or non AD aware equipment.
First option seems the most straight forward. I have tested this so far with only a few laptops, two of them XP. First it appears that XP behavior is to authenticate with machine credentials then user once user logs in, and there is no option to change to computer only without a reg entry addition: http://support.microsoft.com/kb/309448. Windows 7 has options in the wireless config for user, computer, or user and computer. I applied that change to my test XP machines. Then I removed from our radius server the user group from the radius condition so that it only contains the OU for machines. We have an GPO that configures all the machines for the proper SSID and set them to computer only (the computer only does not affect win XP). Once this is done all the test machines will authenticate and are visible on the controller as host\machine_name before any user has logged in, and stays that way once a user logs in.
The other option would be to follow this tread: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-Machine-and-User-Authentication/td-p/8886 which I plan to test also. What I don’t like about this is that there seems to be a possibility of disconnects if a user stays logged into a machine for longer than the MAC hold time.
I’m leaning toward option 1.