+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Radius with BYOD? in Technical; Hi all, Even after reading many articles on similar situations, I am still a little confused... Over the holidays I ...
  1. #1

    Join Date
    Feb 2010
    Location
    Hertfordshire, UK
    Posts
    46
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Radius with BYOD?

    Hi all,

    Even after reading many articles on similar situations, I am still a little confused...

    Over the holidays I have configured Network Policy Server role on a Server 2012 R2 machine. Our wireless APs and controller are Ruckus.
    I want to create 3 SSIDs:
    1) is for staff only, authenticated by either Domain Computer or Staff user group in AD - (EAP Protected PEAP)
    2) is for students own devices (Ruckus will transfer these devices onto a separate VLAN which will go through a transparent internet proxy) - I need this to be authenticated by a username only (from AD)
    3) is for guests ( I dont need to worry about this one for now )

    What I am struggling with is the authentication for staff/students. On some devices i.e domain joined machines or Apple iPhones/iPads the devices join fine for either SSID and installs a certificate. However I have some non-domain joined machines that just will not join at all and as soon as I choose either the staff or student SSID from the wireless network list and enter a valid username/password from AD, it just fails to connect.

    I assume this is an authentication issue. Am I right in thinking that I can use NPS/RADIUS to connect a non-domain computer with just a valid AD Username?
    Any ideas what might be wrong here?

    Many thanks!

  2. #2

    Join Date
    Jul 2009
    Posts
    605
    Thank Post
    56
    Thanked 115 Times in 100 Posts
    Rep Power
    70
    Quote Originally Posted by napsburypark View Post
    What I am struggling with is the authentication for staff/students. On some devices i.e domain joined machines or Apple iPhones/iPads the devices join fine for either SSID and installs a certificate. However I have some non-domain joined machines that just will not join at all and as soon as I choose either the staff or student SSID from the wireless network list and enter a valid username/password from AD, it just fails to connect.
    I have found the same thing - I think i fixed it by importing the CA certificate and/or the certificate for the NPS server into the trusted root certification store of the local machine. It means that you'll have to do it on every machine though.

  3. #3

    Join Date
    Feb 2010
    Location
    Hertfordshire, UK
    Posts
    46
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks @computer_expert - I cannot possibly do this for hundreds of students bringing in their own devices however. Surely there is another way to allow NPS to work with non-domain machines?

  4. #4

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    On windows 7 and XP machines unless you use a trusted certificate, you will have to add the connection manually, then go into the advanced properties and un-tick the box that says 'Validate Certificate' it will then let you connect.

    There are two ways round this. Firstly, buy a trusted certificate - not actually that expesive. Secondly, as stated above, import your root certificate onto devices, kinda defeats the object of BYOD. I recommend you buy a trusted certificate to secure your wireless with.

    What I've done here to avoid these issues is to have the actual wireless connection un-encrypted and free to join, but there's a web based captive portal that users have to authenticate to before it will let them do anything. This is built into meru, and works a treat for our BYOD network. I just wish it would hand the authentication details onto our web filter, but it doesn't so users have to authenticate twice at the moment for BYOD. Yes I know the risks with unencrypted wireless, but it's a BYOD network and not the main network so the risks are relatively low and we are only a school, the whole lot is isolated in it's own NAT'd VLAN and only ports 80 and 443 go through the firewall.

    By the way, untangle free edition is a fantastic firewall product for this sort of setup, easily installable and highly configurable.

  5. #5
    RobD's Avatar
    Join Date
    Mar 2007
    Posts
    121
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    17
    Quote Originally Posted by maniac View Post
    I just wish it would hand the authentication details onto our web filter, but it doesn't so users have to authenticate twice at the moment for BYOD.
    Which Web filter are using? We use radius accounts on Meru to send auth packets to our lightspeed web filter and it works a treat.

  6. #6

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    Quote Originally Posted by RobD View Post
    Which Web filter are using? We use radius accounts on Meru to send auth packets to our lightspeed web filter and it works a treat.
    Lightspeed is our web filter, but it's provided at LEA level and you can't send authentication packets directly to the server to my knowledge, you can only use the provided client program than sends the details of the currently logged on user to the LEA servers (for academy owned devices) or authenticate to the web interface.

  7. #7

    Join Date
    Feb 2010
    Location
    Hertfordshire, UK
    Posts
    46
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    @maniac - Thanks for this information. So to clarify, if I were to buy a trusted certificate, then all devices (including Windows XP and 7) non-domain machines would just be able to join the network using AD user authentication only? With no-need for our IT Team to manually get involved installing certificated or configuring manual networks?

    If this is the case, could you explain the process a little more about obtaining a trusted certificate?

    Many thanks!

  8. #8

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    Quote Originally Posted by napsburypark View Post
    @maniac - Thanks for this information. So to clarify, if I were to buy a trusted certificate, then all devices (including Windows XP and 7) non-domain machines would just be able to join the network using AD user authentication only? With no-need for our IT Team to manually get involved installing certificated or configuring manual networks?

    If this is the case, could you explain the process a little more about obtaining a trusted certificate?

    Many thanks!
    Yes, that's correct.

    Essentially certificates work on a trust basis, so in order for your clients to trust your RADIUS server the certificate that it uses for its security and identity has to be issued from a trusted source. By default network policy server on Server 2008/2012 (I'm assuming you're using NPS as your RADIUS provider?) uses a self generated certificate which is issued to the server at the time of joining the domain in order to validate its self to the client, but obviously clients that are not part of your network won't trust this certificate because they don't know who issued it.

    All you need to do is obtain a SSL certificate from a provider (such a go daddy for example) that is suitable for server identification. You need to make sure you request the certificate with the correct server name and then the make sure NPS is using this certificate.

    You can see the certificate that NPS is using by looking at the PEAP properties in the network policy (I also assume you are using PEAP as it's the most common method of doing this.) To use a different certificate after obtaining it from a trusted certificate authority, you import it into the Computer Personal certificate store along with any intermediate certificates and then instruct NPS to use it, you will then be able to join anything to the wireless network without any errors.

    Mike.

  9. #9

    Join Date
    Feb 2010
    Location
    Hertfordshire, UK
    Posts
    46
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Okay - thanks @maniac - you've been a great help!! :-)



SHARE:
+ Post New Thread

Similar Threads

  1. Replace student desktops with BYOD
    By win in forum Cloud Services
    Replies: 14
    Last Post: 25th April 2014, 02:56 PM
  2. Head scratch with BYOD setup
    By plexer in forum Wired Networks
    Replies: 8
    Last Post: 13th June 2012, 12:32 PM
  3. setting up Radius with cisco WAP4410N
    By PEO in forum Wireless Networks
    Replies: 3
    Last Post: 26th June 2010, 01:14 AM
  4. radius with guests
    By strawberry in forum How do you do....it?
    Replies: 9
    Last Post: 16th July 2008, 05:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •