What we do here :
We have two SSID.
Our RADIUS server only allow domain joined computers to connect (computer authentication).
Guest-WLAN, RADIUS server only allow the Staff group to connect via a form based-authentication.
That way students can only use school computers on our WLAN, no ipod/iphone.
you might want to check packetfence also.
Do you have any links to something more in-depth regarding this? I'm intrigued...
Originally Posted by Oops_my_bad
To the OP, I'd try to avoid locking down your Wi-Fi too much, I'm just speaking here as someone who likes to promote a more open and friendly environment, but once you start locking it down too much things get messy and staff get annoyed, I don't know of many schools where locking down any non-school equipment goes down well (don't even allow staff laptops on the Wi-Fi at mine, annoyingly).
Just use machine only authentication instead of user authentication, you don't even need certificates. Our RADIUS secured wireless system only lets devices with an authorised account in AD connect, user authentication is disabled.
Originally Posted by bart21
If you're using IAS as your authentication server it's a doddle. It also stops the issues you sometimes get when the machine changes from machine based to user based authentication at login when setup using the IAS defaults.
IF you're using another RADIUS server however, I'm not sure if you can do it. IAS is the most popular if you don't have a managed system like Cisco with it's own RADIUS server built in.
thanks for that maniac,
can you give me the steps to do that in IAS please
(we do use IAS)
Originally Posted by bart21
have a look here:
To be honest, it was so long ago when I set this up I can't remember precisely all the steps - IAS and RADIUS is quite complex to get working, I seem to remember it took a lot of fiddling.
Effectively it's the policy conditions in IAS you can change to allow authentication only if certain conditions are met. I created a group and called it 'Allow wireles connection' which I added all our wireless devices to - I then set the policy conditions to state 'NAS-Port-Type matches "Wireless - other OR Wireless - IEE 802.11" AND Windows-Groups matches "Allow Wireless Connection" - this ensures only devices that meet those two conditions are authenticated.
I also changed our wireless group policy so it is set for Computer Only authentication - there's a box in there somewhere to do this. It did take me a little while to get this working properly, but now it is we have very few wireless problems in this school, and our access points are pretty old Cisco 1200 series ones.
Incidently my wireless system doesn't even prompt for a username and password if un-authorised people try and connect to it now, it just sits there saying 'authenticating' then fails.
Does this throw staff laptops off or just severely delay their connection? We have RM laptops, connecting wirelessly (getting an IP address), but then failing to get mapped drives, because Location Chooser (an RM program) cannot access Active directory objects