Wireless Access

Reply
Contributor II
Posts: 48
Registered: ‎01-07-2013

User name and password authentication but limit to specific MAC addresses?

Hi

 

One of our customers plan to distribute Mac computers for their students, just over 4000. Each student has an Active Directory account.

But the customer would like to limit the students to just log in to the wireless network only from the approved Mac computers they provide the students with, not phones, tablets etc.

Students should also be able to authenticate using not only their personal machine but in theory every approved Mac computer and easily change the computer they borrow.

The Aruba Mobility Controller uses a Microsoft NPS server for AD authentication.

MAC addresses are known and can be found in a SQL database or be exported to csv or any other format. Clearpass will not be applicable due to budget reasons at the moment.

Is there any way to allow the login from just the approved MAC addresses just utilize functions in the Mobility controller and Microsoft NPS? And not limit the students to just one or a few machines.

This post describes how to limit the user to one or few machines:
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

 

Thanks in advance

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: User name and password authentication but limit to specific MAC addresses?

[ Edited ]

Okay you cant do this with mac addresses... the limit of the internal datbase is 4000! 

 

The soluton here is using EAP TLS... guest you are using EAP PEAP....

Just install the certificates to those machiens you want... and make it not exportable... so they cannot export it...

 

For mass distribution, you dont want to do it machine pper machine... you can try arubaquickconnect... but then you will have to buy it but well its cheaper than clearpass... you can ask for a demo so you can see if it fill your needs.

 

To enhance a little the explanation if you dont know but if you know well good :)

 

EAP PEAP you know it check the user and password of the AD to see if it a valid client, the problem here and the problem you encountering is that the user can just put that user and pass on the other devices....

 

EAP TLS uses user certificates instead user and password... if they dont have the user certificate installed in their machine then they wont be able to connect... and also you can make that certificate not exportable so they cannot just export it and import it to the other divces that are not allowed.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: User name and password authentication but limit to specific MAC addresses?

Carlos,

 

Thank you for your answer. This would certenly be a good way to handle this.

With EAP TLS the end user experiance is better as the user do not need to provide username and password.

 

We will take this solution in consideration and get a price for Quickconnect. 

As the customer is public schools the budget is tight and they more or less as us to do magic...

 

 

Regards

Jonas

 

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: User name and password authentication but limit to specific MAC addresses?

[ Edited ]

Also take in mind that the EAP TLS is the highest level of security, which is good, mac filtering is bad, and aruba recomends agains the use of it... you can tell that your cliennt.... i read it on aruba documentation i think it was on a VRD.

The issues you got with the mac filtering is the limit of hte internal datbase where you put the mac addresses which is 4000 and also the lack of security.

 

Does your client have  a Certification Authority??For the EAP TLS

 

Here is some documention of the ArubaQuickConnect so you can read it to see if it fill your needs

http://www.arubanetworks.com/products/clearpass/quickconnect

 

As partner you can request for a demo licence! and do the lab of the quickconnect, also it would be a good idea to do the lab of  EAP tls if you have not configured it before.   If you have done it then well you already know the deal :)

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: