Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Block Mobile Devices on SSID

This thread has been viewed 45 times
  • 1.  Block Mobile Devices on SSID

    Posted 23 days ago
    Hello,

    I have a 7030 mobility controller running 8.6.x software. I have a requirement in one particular SSID to not allow any mobile devices (iOS and android) to connect. The authentication method is PSK. How do I achieve this without clearpass solution. I have PEFNG licenses installed.

    Thanks,

    ------------------------------
    Ajin Skariah
    ------------------------------


  • 2.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Hi Ajin,

    You need to profiling your endpoints and that's where you need Aruba ClearPass for. Without ClearPass you can use some classic (less secure) method to use PSK-Personal+Mac authentication, but you need to manage all mac-adresses you want allowed.

    Note: All mac-adresses can be sniffed from the air (802.11 frames) without any need to connect to the network, so also mac-address filtering is not secure and can be spoofed easily.

    If we dive any deeper in how we get online we have the following phases:
    1. 802.11 association / 802.11 authentication
    2. Authentication / Encryption
    3. IP assigned (DHCP)
    4. Default Role
    5. Network Access

    In phase 2 we have the WPA2-Personal authentication where we known nothing about the client and have no way to filter "clients types" from each other.

    What ClearPass does; First we use WPA2-Enterprise (RADIUS) which give much more insight in the authentication and is much more secure. Secondly ClearPass use phase 3 to get profiling information based on the DHCP request of the client. ClearPass now knowns it's a mobile device, send a Change of Authorization (COA) message, client re-connect and start the process again. This time we known this client and will be blocked in phase 2 of the authentication process based on a ClearPass security policy. Normally there are two vlans uses for this process; one onboarding vlan with less rights and one client vlan.

    When take security seriously you have definitely move to WPA2-Enterprise with a RADIUS server, where Aruba ClearPass is the best solution to achieve this.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 3.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Thank you Marcel. So I can't do it with PSK authentication right?. So what if I change the authentication to 802.1x authentication? Can I make use of dhcp fingerprinting for identifying the endpoints here?

    Thanks,

    ------------------------------
    Ajin Skariah
    ------------------------------



  • 4.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    If I bring a clearpass to the this, is it possible to block devices without changing the authentication method from PSK? Please advice.

    Thanks,

    ------------------------------
    Ajin Skariah
    ------------------------------



  • 5.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    You can use profiling and return a very limited role for unknown devices to get them profiles, then assign a full access role for all devices that are not your mobile device types.

    Without ClearPass, in theory, you should be able to use User Derivation, but I have personally never used it, and you need to create your own device profiles. Would not advise anyone to go that direction if you have the option to do the same with ClearPass.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Thanks Herman. in any case I have to use 802.1x authentication right? What can I do if I just want to use PSK authentication. Sorry if the question is stupid!

    Thanks,

    ------------------------------
    Ajin Skariah
    ------------------------------



  • 7.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Hi Ajin,

    Most companies move away from WPA2-Personal (PSK) because it have a some challenging security drawbacks.  They move on to WPA2-Enterprise (RADIUS) authentication server like ClearPass. WPA2-Enterprise can be implemented based on many scenario's (EAP Methods) where EAP-TLS (certificate based authentication) is the best advise from security standpoint. But you also need to enroll certifcates on your endpoints to achieve this, what is the best practice for managed (corporated) clients, but will not work for unmanaged (guest) clients without an MDM or Onboarding mechanism.

    For profiling based on DHCP fingerprints with ClearPass you usually have two vlans; 1. For profiling 2. client data. Because you have to come on the network (you got an IP) to let profiling work, but in a limited network where after you get bounced, reconnect and come online in the normal network or be denied. To answer your question. Yes, when work with ClearPass you have to move to WPA2-Enterprise (RADIUS) authentication.

    But of course anything start with a use case and design. May i ask why you need to block ios/andriod devices? And what is the main purpose and acccess for this SSID? How many endpoint clients use this SSID?

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 8.  RE: Block Mobile Devices on SSID

    Posted 22 days ago
    PSK ( as hinted by the name WPA2-Personal) was designed as a simple encryption for personal, non-enterprise networks. WPA2-Personal has known security vulnerabilities and should bit be considered as secure. It is designed to not need or use a RADIUS server such as ClearPass.

    WPA2-Enterrise ( 802,1X, especially with EAP-TLS certificates) is needed for secure connections as well as better client authorization. WPA2-Enterprise requires a RADIUS server such as ClearPass. 

    In other words, what you are requesting cannot be accomplished in that fashion.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 9.  RE: Block Mobile Devices on SSID

    Posted 22 days ago
    What I described works with PSK networks as well. I agree with others that WPA2/3-Enterprise has a preference over PSK networks, but if you can't deploy and the security requirements are low, you could consider PSK networks. Note that the vulnerabilities that I know for PSK are that you can do a brute-force attack on the PSK, which is not practically feasible if you have a long PSK, let's say 16/20 characters or more and not in any dictionary. If you need to give out the PSK to users, then that may be a bigger vulnerability.

    In most cases this results in that you don't want to deploy PSK, especially not at scale and especially not when end-users are involved, but I deploy it as well sometimes for IoT devices that just don't support Enterprise authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Thanks Marcel for such an explanative answer! This requirement is for a school and the SSID is used for student Chromebooks. So the authentication here is PSK and some students use their mobile devices to connect to this SSID as they came to know the password. We want to avoid the students connecting to the SSID with their personal devices. Around 350 students access this SSID.

    Thank you,

    ------------------------------
    Ajin Skariah
    ------------------------------



  • 11.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    Note: Thanks Colin, never tried the user-derived dhcp option, nice document!

    Hi Ajin,

    Yeah students are evil ;) I remember my college days and gave the system administrator quite a headache. Try on your windows laptop "netsh wlan show profiles "profilename" key=clear" ;).

    When the student network is "internet-only" and have isolation between end users (like a guest network) i would allow the use of private devices. When the student network have access to some specific servers your would not allow to "guest" and should avoid this.

    As long using WPA2-Personal the students will always known the key after a while, its in clear-text in the wlan profiles on their devices ;). Also the registration of 350 mac-adresses will not be easy manageable for IT department.

    For 350 students i see this as an enterprise network and you should definitely go to a WPA2-Enterprise solution. 

    Are the student chromebooks give out and managed by the IT department of the school? Then it will not be hard to deploy certificates on those devices, so only devices with a valid company certificate can join the SSID network. In that case you don't need profiling "ios/andriod" but just allow managed devices. That can be achieved by a simple Microsoft NPS server, but i still recommend ClearPass because it have much more features and more easy to manage and troubleshoot (much much better insights!).

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 12.  RE: Block Mobile Devices on SSID

    Posted 23 days ago
    @ajins Are Chromebooks the only device that you want to connect?  You certainly can use only PSK for now to allow/block devices.  Please see the older document here:  https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/AOS-DHCP-FingerPrint-AppNote.pdf

    Basically you find out the DHCP fingerprint for devices that you want to allow.  Create a role for allowed devices and a role for blocked devices.  You write a user derivation rule (a line for each device)​ for each type of device that you want to allow and assign them the role that allows devices.  Your default role will then be the blocked role and block all other devices that do not have the allowed fingerprints.

    Like others have said, this does not scale, because you want the granularity of only allowing users who have a valid username and password on your system to be allowed onto the network.  Since a PSK can be shared, you might end up allowing a whole lot more users that you intended, even though you block mobile devices.  This might be a good time to determine if you can stand up a radius server in front of your identity store so that you can authenticate users via username and password, instead of just psk.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 13.  RE: Block Mobile Devices on SSID

    Posted 22 days ago
    Thanks Colin and Marcel. Yes, the Chromebooks are given by school but no certificates are deployed on the devices. Let me now try the method in the document Colin shared and see how it goes. 

    Thanks,

    ------------------------------
    Ajin Skariah
    ------------------------------



  • 14.  RE: Block Mobile Devices on SSID

    Posted 22 days ago
    There are not many enterprises today NOT dealing with credit card information. That need a higher security level than PSK. I am well aware some IoT devices do not support WPA2-Enterprise, but they can be handles with a lower level of security. I do that in a large university.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------