Wireless Access

Contributor I

Not allowing non-corp devices

I think the best way to do with would be eap-tls, but setting that aside for now…


We are using eap-peap. The radius server is configured to allow if the machine or user is a member of the respective AD groups. What I am wanting to accomplish is make it more difficult for non-corporate devices to connect to this SSID. As it is now, I can connect my Android if I supply my AD username/password. I don’t know how to do this, but I thought I had read that it is possible to allow or deny by detected device type, but that makes me a little nervous because the controller identifies some laptops as iPods. I’m not sure if the best way to accomplish this is at the controller or at the radius server (2008 R2).


Thanks for your assistance.

Re: Not allowing non-corp devices

Good night. :smileyhappy:

As far as i see your issue - you got two options:

1. Using ClearPass






2.DHCP Fingerprint.
You may enable DHCP FINGERPRINT use on your AP-GROUP/VAP (In your controller) - if you will configure it right -it will block from connecting android/apple/other smart mobile devices to your  enterprise 802.1x ssid.

You will just have to fingerprint all the unwanted device type - and give the a no service user role.

Start reading here:


Also read the following link:


more reading how-to:


that....what i have to offer as a solution to your question/issue.


Have a lovely week.



*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

Re: Not allowing non-corp devices

Leaving EAP-TLS out of the equation, and relying on NPS as your RADIUS server, you could enable 'enable machine authentication' in the dot1X profile. This gives you the option of supplying different roles for devices that pass only user authentication, only machine authentication, and for tose that pass both. This is done by the controller caching the MAC of successful machine authentications, then comparing this list (in internal DB) when a user authenticates to determine which role to apply. You can also add devices that are not domain joined by adding the MAC to the internal DB.
Systems Engineer, Northeast USA

Frequent Contributor II

Re: Not allowing non-corp devices

 Do you have corp owned phones? Are you going to allow them access to the wifi? Are they part of the domain? 


ClearPass is going to give you the most control over allowing access based on device, who, where and how they connect. 


David Dipert
Contributor I

Re: Not allowing non-corp devices

It looks like I have two options, clearpass is out and DHCP fingerprinting while doable seems complicated with more probability of issues. Plus our environment is pretty basic. We only have machines in the AD that we want to connect to the corporate SSID, no phones or non AD aware equipment.


First option seems the most straight forward. I have tested this so far with only a few laptops, two of them XP. First it appears that XP behavior is to authenticate with machine credentials then user once user logs in, and there is no option to change to computer only without a reg entry addition: http://support.microsoft.com/kb/309448. Windows 7 has options in the wireless config for user, computer, or user and computer. I applied that change to my test XP machines. Then I removed from our radius server the user group from the radius condition so that it only contains the OU for machines. We have an GPO that configures all the machines for the proper SSID and set them to computer only (the computer only does not affect win XP). Once this is done all the test machines will authenticate and are visible on the controller as host\machine_name before any user has logged in, and stays that way once a user logs in.


The other option would be to follow this tread: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-Machine-and-User-Authentication/td-p/8886 which I plan to test also. What I don’t like about this is that there seems to be a possibility of disconnects if a user stays logged into a machine for longer than the MAC hold time.


I’m leaning toward option 1.

Search Airheads
Showing results for 
Search instead for 
Did you mean: