Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

This thread has been viewed 10 times

  • 1.  Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

    Posted Oct 14, 2012 09:26 PM

    How to prevent the Apple ios and android device connect to the SSID with the 802.1x authentication?  Only joined domain windows laptop can connect to the SSID with 802.1x authentication and none joined domain windows laptop was not able connect to the SSID with 802.1x authentication. 

     

     

    802.1x authentication is use Microsoft AD. 



  • 2.  RE: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

    EMPLOYEE
    Posted Oct 14, 2012 09:48 PM

    You can configure the domain machines to only use computer authentication using group policy.  The page here:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx tells you how to do that.

     

    On the remote access policy in NPS, you would only allow users in the Domain Comptuers group.  That would mean that only domain machines would be able to connect with their computer/machine credentials.

     



  • 3.  RE: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

    Posted Oct 17, 2012 11:59 PM

    Beside configure through group policy, have any other method to configure it? Because my customer want to avoid configure through group policy. It is possible configure it on Microsoft RADIUS server itself?



  • 4.  RE: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

    EMPLOYEE
    Posted Oct 18, 2012 05:58 AM

    The only way is to have Windows machines use Machine Authentication.  You would then have to change your remote access policy on NPS to only allow authentication from the Windows Group "Domain Computers".

     

    You could alternatively use DHCP fingerprinting to give WindowsXP and Windows 7 computers a different role when they connect, but all of the non-Windows devices would have to obtain a DHCP address to be able to do the fingerprinting.  Android and Apple IOS devices will still be allowed to partially connect to do fingerprinting.

     



  • 5.  RE: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?

    Posted Oct 23, 2012 07:16 AM

    I had try add the Windows Computer rule under Windows Group "Domain Computers", but it was failure to authenticate user account. Under Windows RADIUS server (Windows 2008 R2)  Event Viewer error message was invalid user account. I also got try add Machine Group and User Group policy with combination of this 3 policy vice versa also can't work. Computer also can't get IP address from DHCP server.

     

    It only can get authenticate was remove above all policy and just only add below policy, then it can work.

     

    If i add Policy under Gateway " NAS Port Type, Wireless - IEEE802.11 or Wireless other" policy, user able to get authenicated.

     

    Initial logon role is "Logon-Control"

     

    Default 802.1x authentication role is "Authenticated"

     

    About the DHCP fingerprinting not suitable for my customer environment because they want to prevent the personal device such as laptop (windows machine), smartphone and tablet connect to the Staff SSID (802.1x authentication). 

     

    It is have some setting i miss up? Please advise.

     

     

     

     



  • 6.  RE: Can prevent Apple ios and android devices connect the SSID with the 802.1x authentication?
    Best Answer

    EMPLOYEE
    Posted Oct 23, 2012 07:39 AM
    @jordontin wrote:

    I had try add the Windows Computer rule under Windows Group "Domain Computers", but it was failure to authenticate user account. Under Windows RADIUS server (Windows 2008 R2)  Event Viewer error message was invalid user account. I also got try add Machine Group and User Group policy with combination of this 3 policy vice versa also can't work. Computer also can't get IP address from DHCP server.

     

    It only can get authenticate was remove above all policy and just only add below policy, then it can work.

     

    If i add Policy under Gateway " NAS Port Type, Wireless - IEEE802.11 or Wireless other" policy, user able to get authenicated.

     

    Initial logon role is "Logon-Control"

     

    Default 802.1x authentication role is "Authenticated"

     

    About the DHCP fingerprinting not suitable for my customer environment because they want to prevent the personal device such as laptop (windows machine), smartphone and tablet connect to the Staff SSID (802.1x authentication). 

     

    It is have some setting i miss up? Please advise.

     

     

     

     

    That is right:  No users accounts are allowed, because it is expecting authentications only from domain computers, which submit their username as "host/<hostname>".  The only way you get them to submit their machine name, instead of the user logged in, is either via group policy, or edit the registry on that computer:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx  That is how you would do it from the NPS side.

     

    You can also enable "Enforce Machine Authentication" from the Aruba Controller side to keep non-domain devices off the network:  http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Machine-amp-User-Authentication-iPhones-getting-online/m-p/1638/highlight/true#M18