Wifi clients, Radius auth, and Ipods

[amfony]

Hi Gang,

I have a IAS config question.

I have setup radius auth for wifi clients running over ruckus gear and it works all well. The config i followed was the "ashbys IAS" doc thats floating around here.

Ill admit Radius-auth isnt my strngest suit so please bear with me.

What i have is a WLAN that requires radius auth -- this required me to create a server certificate (from local CA) which clients then installed automatically. Clients then had to change EAP type to PEAP, select the CA cert to validate and hey-ho connection.

On the radius server i setup the RAP to enable "domain computers" OR "domain users".

Fantastic.

Now i have students joining this WLAN with their Ipods/iphones/Mac's in general because when they authenticate against the WLAN it shows up "certificate not trusted" which they can accept and again hey-ho. Connection.

Obviously i have setup the wifi auth incorrectly, or expecting the wrong result.

What id like to do is to restrict access to this WLAN to computers and any user logged into that computer that are part of the domain. Opposed to "domain users" as it is now apparent to me this will include any device that passes correct AD credentals.

Can any one shed some light or point to a more relevant auth scheme?

Thanks in advance

[spc-rocket]

Hi Gang,

I have a IAS config question.

I have setup radius auth for wifi clients running over ruckus gear and it works all well. The config i followed was the "ashbys IAS" doc thats floating around here.

Ill admit Radius-auth isnt my strngest suit so please bear with me.

What i have is a WLAN that requires radius auth -- this required me to create a server certificate (from local CA) which clients then installed automatically. Clients then had to change EAP type to PEAP, select the CA cert to validate and hey-ho connection.

On the radius server i setup the RAP to enable "domain computers" OR "domain users".

Fantastic.

Now i have students joining this WLAN with their Ipods/iphones/Mac's in general because when they authenticate against the WLAN it shows up "certificate not trusted" which they can accept and again hey-ho. Connection.

Obviously i have setup the wifi auth incorrectly, or expecting the wrong result.

What id like to do is to restrict access to this WLAN to computers and any user logged into that computer that are part of the domain. Opposed to "domain users" as it is now apparent to me this will include any device that passes correct AD credentals.

Can any one shed some light or point to a more relevant auth scheme?

Thanks in advance

Hi there,

If you want to restrict it to the domain joiend computers and users then you need to create additional security group on the domain which contains the users you want to be able to connect the wireless network and the same for the computers. You then use these groups in the IAS policy rather than domain users or domain computers.

Ash.

[amfony]

Hi Ash,

Thanks for the reply.

I am aware that the groupings are restrictive by nature, and that the domain comp and domain user allows any computer in the domain to access the WiFi.

My question is not so much:

How can i only allow a select range of users to access the WiFi via Raduis authentication

But Rather:

How i stop non-domain joined devices from joining the WiFi via Radius authentication
Example: A student brings in ipod/iphone and finds WLAN "Devices Network", when trying to join this network the i-device will state "this certificate is not trusted, accept anyway?", which they do, passing on their valid AD credentials. And there you go ... access. And to explain the "device network" has laptop trolley's etc.

Thanks again

[apeo]

If you want to keep the policy using Domain Computers and Domain Users then i think you will be hard pushed to stop non-domain devices from joining because you allowed for anyone who know user AD credentials to login. You may have to go down the route of using ACLs.

Here what we do is to have a security group which we add all the computers and users we wish to grant access and use this group in the policy. Few users are granted access and yes if that user is granted access then they can get in via any device (domain and non-domain devices). Instead of granting access to AD Users, if they really need access via a non-domain device then we issue a guest pass.

[dyoung5]

Hi Amfony,

We have a very similar setup here with a nice brand new Ruckus setup.

We setup our IAS server to allow only <domain>\Domain Computers, and no users (except admins, but thats for troubleshooting).

In the wireless settings under group policy, under the 802.1x tab, there is an option for authentication mode. It is usually set to computer or user by default, but if you change it to computer only, it will authenticate the computers not the user.

The only down-side is, under XP, this can only be done through GP, and not locally. Vista and 7 this option can be set locally as well.

When we get the Ruckus fully installed over Easter, we will also make the RADIUS SSID hidden, which should help as well.

Hope this helps,
David

[apeo]

Hi Amfony,

We have a very similar setup here with a nice brand new Ruckus setup.

We setup our IAS server to allow only <domain>\Domain Computers, and no users (except admins, but thats for troubleshooting).

In the wireless settings under group policy, under the 802.1x tab, there is an option for authentication mode. It is usually set to computer or user by default, but if you change it to computer only, it will authenticate the computers not the user.

The only down-side is, under XP, this can only be done through GP, and not locally. Vista and 7 this option can be set locally as well.

When we get the Ruckus fully installed over Easter, we will also make the RADIUS SSID hidden, which should help as well.

Hope this helps,
David

There is a reg hack that you can do on xp machines.

[spc-rocket]

The only other way i think you may be able to do it would be to use the mac address filtering on the APs - yes i know its easy to forge these but at least it makes it harder. When this is done, the iphone's NIC's mac will not be in the list of allowed mac and therefore it won't present the cert and authentication prompt.

on the side note, on my guide that i wrote for configuring radius with 802.1x authentication for ias the registry hack to only do computer authentication is there somewhere - i think its called machine authentication or something similar in the guide.

Ash.

[HCC]

I've just noticed this too with the same setup.

Has anyone managed to add a list of allowed MACs to IAS? I'm not sure how.

I found the option in Ruckus L2/MAC Access Control but this is limited to 128 entries.

I've seen the option to add MAC control to DHCP, but I'm sure this would be a bigger headache because then I would have to add all the MACs from every computer and device and there are a lot...