thanks a lot for your contribution on this discussion.
I've been working on getting the Radius (NPS) authentication working on a test network to the point that is allowing all computers part of the group "Domain Computers" be authenticated by a certificate issued from a Certificate Authority (in this case I've used AD CA), using EAP-PEAP, although, it's only allowing computers that have been previously joined to the domain connect to the network, per @spgsitsupport
if I am understanding right, there should be a way to authenticate computers that are not part of the domain yet, I have not been able to accomplish this so if you have any information on how to complete this I would appreciate if you could share it with me. This would be super helpful for some cases, like joining a computer to the domain through wireless and a wired connection is not available.
My main objective here is finding a way to deal with the ongoing issue we are currently facing, having cell phones accessing a network that they shouldn't be allowed, I am aware that that was a mistake we made in the past, but I thought that there might be an option available in the AP that would allow me to accomplish this on an easier way, but if Radius is the only or better path to take, I am willing to go that direction,
I really appreciate the time and intel that all of you are sharing with me,
Sent: Jan 30, 2023 11:34 AM
Subject: Block cell phones on employee Wi-Fi network or automatically move them to a Guest network
This is the first post I do, since I recently joined this amazing community. I would like to know if you could help me with something I've been trying to figure out at work for a long time now.
We use several AP 535s in our production environment, and we are broadcasting an Employee and a Guest network, we've noticed recently that the Employee (corporate) network, is reaching the limit of available IP addresses from our DHCP scope, I am aware that we could just increase the DHCP scope to sort this out, but my concern is that most of the IP addresses are being taken by users cell phones, which is obviously not ideal for a corporate network, we are looking into solutions like implementing a radius server, but I've also heard that there might be a feature in the Aruba Instant Portal that would allow me to resolve this problem, I've heard about DHCP fingerprinting, I understand we should be able to block users or just automatically move them to a different VLAN upon authentication, but so far I have not being able to find proper documentation on how to do this on the Aruba world, if you could assist me on this, I would greatly appreciate it.
Thanks a lot,