Network Management

 View Only
last person joined: 22 hours ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

This thread has been viewed 66 times

  • 1.  Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Jan 30, 2023 12:01 PM

    Good morning,

    This is the first post I do, since I recently joined this amazing community. I would like to know if you could help me with something I've been trying to figure out at work for a long time now. 

    We use several AP 535s in our production environment, and we are broadcasting an Employee and a Guest network, we've noticed recently that the Employee (corporate) network, is reaching the limit of available IP addresses from our DHCP scope, I am aware that we could just increase the DHCP scope to sort this out, but my concern is that most of the IP addresses are being taken by users cell phones, which is obviously not ideal for a corporate network, we are looking into solutions like implementing a radius server, but I've also heard that there might be a feature in the Aruba Instant Portal that would allow me to resolve this problem, I've heard about DHCP fingerprinting, I understand we should be able to block users or just automatically move them to a different VLAN upon authentication, but so far I have not being able to find proper documentation on how to do this on the Aruba world, if you could assist me on this, I would greatly appreciate it. 

    Thanks a lot, 



  • 2.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    EMPLOYEE
    Posted Jan 31, 2023 09:56 AM
    How do the employees know the password to get their phones on the corporate network? What is the encryption/authentication setting on the corporate network?

    Think in this case it makes sense to go back to the drawing board and design a solution with what you know now in mind. Your Aruba partner or distributor should be able to assist in such a task.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Jan 31, 2023 12:09 PM
    Thanks a lot for taking the time to assist me on this Herman. 

    We've been using WPA2-PSK for some time now and I would imagine that in the past the password was not managed with enough security (reason why users have it), as mentioned though we are already implementing a Radius server to improve our security and resolve this issue. 

    But I was wondering, if there is any feature or procedure that can be implemented on the Aruba Instant portal to block cell phones from accessing a specific network (in this case: Employee) or move the users to another network after they get authenticated?  

    In advanced, I appreciate your assistance,
    Original Message


  • 4.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 01, 2023 05:18 PM
    802.1x RADIUS based authentication with Machine authentication is the way forward here. By only accepting machine authentication you are limiting the corporate network to AD domain joined devices.  Ideally you would do this with certificates (EAP-TLS) for best practice security but you could also implement PEAP-MSCHAPv2 based authentication provided you securely configure the clients using group policy. 

    With a solution like ClearPass you can also implement MPSK to give each staff member a personal key for their device for BYOD if you want to move away from shared keys. Other options include Azure based web logins for staff on a captive portal / open guest network. 

    Many ways to tackle that problem!
    Original Message


  • 5.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 02, 2023 05:12 AM
    As said above, NPS/Radius authentication with certificates issued to the machine (they do NOT need to be domain joined, I use Azure ONLY joined machines with Intune policy certificate policy via NDES). That was no personal device can ever authenticate. Username/password is definitely a no-no, and it creates you serious security risk!

    Seb
    Original Message


  • 6.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 02, 2023 06:27 PM
    @scottdoorey @spgsitsupport thanks a lot for your contribution on this discussion.

    I've been working on getting the Radius (NPS) authentication working on a test network to the point that is allowing all computers part of the group "Domain Computers" be authenticated by a certificate issued from a Certificate Authority (in this case I've used AD CA), using EAP-PEAP, although, it's only allowing computers that have been previously joined to the domain connect to the network, per @spgsitsupport if I am understanding right, there should be a way to authenticate computers that are not part of the domain yet, I have not been able to accomplish this so if you have any information on how to complete this I would appreciate if you could share it with me. This would be super helpful for some cases, like joining a computer to the domain through wireless and a wired connection is not available. 

    My main objective here is finding a way to deal with the ongoing issue we are currently facing, having cell phones accessing a network that they shouldn't be allowed, I am aware that that was a mistake we made in the past, but I thought that there might be an option available in the AP that would allow me to accomplish this on an easier way,  but if Radius is the only or better path to take, I am willing to go that direction, 

    I really appreciate the time and intel that all of you are sharing with me,
    ​​​
    Original Message


  • 7.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 03, 2023 04:57 AM
    Here is the discussion, with link to blog, or you can go with my short version:

    Just create dummy AD object, give it correct host/device_name.domain.local in Service Principal Name attribute, add it to group that is used in NPS access policy (ie my "Intune Staff Devices")

    Obviously you must have SOME way to get the certificate issued (Intune is just easy, ofcourse only if one has the license)

    But you would not want to allow random computers to connect to corporate LAN
    You need to first consider your design

    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 8.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 03, 2023 10:01 AM
    Hello 
    I got a question for you
    How many devices you got conneceted in the network?  does this reach your limit of address pool? or not?
    what is the lease time you got in the dhcp server?  i have gone to clients which have for some reason that it does not expire or really long dhcp lease time like one week which impact in these kind of scanerio

    When i reduce this time to maybe 4 hours then the problem stops, but it all depends.   
    If for example at one day you need to connect 200 devices at one time and you just have 200 ip address on the pool this wont help you

    And you should consider in putting the Radius server as soon as possible.   Clearpass would be one of the best options, but you can work with a windows nps(not sure if with the windows nps you can do what you looking for with the fingerprint)

    IF you implement 802.1x do it wiht certificates i mean with EAP TLS
    If you cant and if you have clearpass you can do EAP PEAP with machine authentication, if you do this just the machines that are in the active directory can join the network, the cellphone wont be able to join the network even if they put in their domain password and user in their cellphones

    Carlos
    Original Message


  • 9.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 03, 2023 10:09 AM
    How can anybody run out of IPs on private DHCP?

    Just use subnet mask /22 /21 /20 /19

    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 10.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 13, 2023 01:04 PM

    Good morning All, 

    Sorry for the delay in my response, I've been out of the office for the last few days and came back Today. I appreciate all the really useful information you all are providing.

    Just to clarify, the issue is not so much about running out of IP addresses available to assign, the issue I brought up is mainly focused on restricting access to a corporate network to cell phones, tablets, etc., devices that don't have a valid reason why to connect to a corporate wireless network. I am aware that the issue of IP addresses available can be addressed by increasing the scope, but this won't prevent users from keep bringing more and more personal devices to our network. 

    I am currently working on putting a Radius server authentication in place (NPS), and I have made the authentication work using PEAP (Server authentication), but I am researching on how to make it work using EAP-TLS (Server/Client Authentication), since based on what I've read so far, seems to be one of the most secure ways to do so.

    Thank you again, you guys are awesome,


    Original Message


  • 11.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 13, 2023 04:06 PM

    the most secure way is with EAP TLS 

    You can do it with EAP PEAP as well but is less secure.  If you implement this with Windows NPS the problem that you got is that any user can still join the network using your cellphone just by putting their user and password of the AD.  If you have clearpass then you can do machine authentication along with EAP PEAP.


    Carlos



  • 12.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 14, 2023 05:16 AM

    EAP PEAP is definitely NOT the way to go!

    Only EAP TLS



    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 13.  RE: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network

    Posted Feb 14, 2023 12:39 PM

    I absolutely agree with you, EAP-TLS is definitely a little more complicated to setup than EAP-PEAP, since you would need to create both a certificate template on the CA and a gpo (group policy) in AD to provide certificates to both servers and clients, but I do think it provides the most secured authentication. 

    I was able to make this authentication work, but we are still in the testing phase, again, thank you all for the valuable information,