Security

Hello,

I'm currently setting up a system for BYOD with two SSID's, One for any approved device (Let's call this SSID "Employee") and the other for BYOD and Guest access (Let's call this one "Visitors").

The current setup is like this: The "Employee" WLAN uses RADIUS for authentication and any user with domain credentials (Windows Sever 2008 R2 w/ NPS) can log in and the "Visitor" WLAN uses the controller's internal database for authentication w/ captive portal (a simple user/pass combination to limit access to authorized visitors and BYOD users(Because we don't want to be serving internet access to whole neihborhoods)).

My issue is this: We want only authorized devices to have access to the "Employee" WLAN (These devices include mostly Windows Machines but there are some iOS devices and Blackberries) How could I proceed with this? Assuming it can be done...

We have a Aruba 6000 controller w/ 2 M3 modules and AP105's

Thanks

I would think the easiest way would be MAC authentication.

While Mac Auth is certainly a possible solution, we have 300+ allowed devices with more to come. I was hoping for something a bit more scalable...

Thanks for your input.

There are several different ways to accomplish this.

If you 'trust' any user that has a AD account than simply use that to get them onto the Employee SSID with .1x. They'll get any device onto the network with their ID. You could then use device fingerprinting to put BYOD oses into roles that limit access, assign differnt VLAN's etc.

If you only want certain employees to be able to get their BYOD onto the network than it gets a bit more tricky.

One way would be to stand up an SSID to to .1x with EAP-TLS as the authentication mechanism instead of EAP-PEAP. Assuming you have a local Certificate Authority, you can put a certificate on trusted devices and connect them to that  SSID. You would then use device fingerprinting on the Employee SSID to push any BYOD OSes into a role that either assings them a Internet Only ACL or a Dead End ACL. Either ACL will prohibit Employees from getting onto corporate network resources with their BYOD and trigger a help desk call to get a certificate issued and get them on the EAP-TLS SSID.

There are many options....if the trusted devices all have accounts in Active Directory you could also 'force machine authentication' and assign roles based on that series of disposition checks as well. THere is a great section in the UG about Machine Authentication. Hope this helps.

Hi

Which kind of CA did you use for EAP-TLS cert generation? I've found Microsoft's very useful in windows greenfield environments, but haven't got round to generate certificates for non-windows devices.

Thanks

regards

We ended up with Microsoft's solution, the active directory certificate services did the job very well for us. We are a Microsoft shop internaly so it made sense for us.

Generating certs for iOS devices on the other hand is an entierly different problem... Since iOS devices are mainly user oriented they don't accept machine certs very well, we created users certs for every device.

Our Blackberry devices have credentials pushed by the BES that allow BBs to connect to wifi without certs.

We are emplementing an MDM server to help with mobile devices.

(It's quite possible there is a better solution out there, I just haven't found it yet, if you do feel free to share!)