Yep, irony is this is for guest access only, and the AD part is so that employess dont need an account created.
we originally deployed peap for corporate access except one day the security guy ran into the office litterally out of breath telling me to withdraw the production ssid because of the hack. a cyncial person might think he just wanted eap-tls in - I have no problem with that myself, certs are better we all know that. so we binned the peap and got a decent pki installed and now we use eap-tls, but for internal.
I then thought - in balance - why not use PEAP with byod accounts (no AD reference) for internet access only to avoid captive portals which always cause users no end of pain, and then that was rejected owing to the security risk of - ultimately someone being able to crack the wifi and get..... free internet - providing they were within a coverage area of course.
I got the slick guest self registration working (really like that), which of course could only be approved by email from an internal user (really liked that) - but then they said this was too open and anyone could set up an account.
We have deployed a pretty good exp-tls solution with ocsp, for corporate access, but the irony is no one really uses it. They just want to have free wifi on their iphones when they are at work - you know: the practical reality I am learning about employee working habits. Let them use their own platforms and OS, then install your corporate Apps on them for longer term byod, which seems to be the way to go (i.e. workspace). No big deal - they're the customers IMHO.
and yep - my captive portal uses a cert signed by verisign. The ssid also uses 3 auth failures to trigger a blacklist. I also have rfprotect on the case. What else can I do? Use patch antennas on the outer perimiter pointing inwards to limit the rf leakage and get windows sealed up with transparent film to attenuate?
I guess that just leaves onboarding, but $20 a head? understandably, my project manager is going nuts and I am trying to work out a compromise between getting this done.
Every suggestion I make I get another security requirement blocking it. In some respects I am getting grim satisfaction repeatedly saying "ok - that issues closed off: what's next" but it is taking time, and having a deteremental affect on my sanity!
Excuse the desperate post. Someone elsewhere must have come across the same kind of thing? I am ending up having to effectively install more sopisticated security system to protect the internet than the internal network!!
**sigh**