+ Post New Thread
Results 1 to 8 of 8
Wireless Networks Thread, Wifi clients, Radius auth, and Ipods in Technical; Hi Gang, I have a IAS config question. I have setup radius auth for wifi clients running over ruckus gear ...
  1. #1
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    16

    Wifi clients, Radius auth, and Ipods

    Hi Gang,

    I have a IAS config question.

    I have setup radius auth for wifi clients running over ruckus gear and it works all well. The config i followed was the "ashbys IAS" doc thats floating around here.

    Ill admit Radius-auth isnt my strngest suit so please bear with me.

    What i have is a WLAN that requires radius auth -- this required me to create a server certificate (from local CA) which clients then installed automatically. Clients then had to change EAP type to PEAP, select the CA cert to validate and hey-ho connection.

    On the radius server i setup the RAP to enable "domain computers" OR "domain users".

    Fantastic.

    Now i have students joining this WLAN with their Ipods/iphones/Mac's in general because when they authenticate against the WLAN it shows up "certificate not trusted" which they can accept and again hey-ho. Connection.

    Obviously i have setup the wifi auth incorrectly, or expecting the wrong result.

    What id like to do is to restrict access to this WLAN to computers and any user logged into that computer that are part of the domain. Opposed to "domain users" as it is now apparent to me this will include any device that passes correct AD credentals.

    Can any one shed some light or point to a more relevant auth scheme?

    Thanks in advance

  2. #2

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    732
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by amfony View Post
    Hi Gang,

    I have a IAS config question.

    I have setup radius auth for wifi clients running over ruckus gear and it works all well. The config i followed was the "ashbys IAS" doc thats floating around here.

    Ill admit Radius-auth isnt my strngest suit so please bear with me.

    What i have is a WLAN that requires radius auth -- this required me to create a server certificate (from local CA) which clients then installed automatically. Clients then had to change EAP type to PEAP, select the CA cert to validate and hey-ho connection.

    On the radius server i setup the RAP to enable "domain computers" OR "domain users".

    Fantastic.

    Now i have students joining this WLAN with their Ipods/iphones/Mac's in general because when they authenticate against the WLAN it shows up "certificate not trusted" which they can accept and again hey-ho. Connection.

    Obviously i have setup the wifi auth incorrectly, or expecting the wrong result.

    What id like to do is to restrict access to this WLAN to computers and any user logged into that computer that are part of the domain. Opposed to "domain users" as it is now apparent to me this will include any device that passes correct AD credentals.

    Can any one shed some light or point to a more relevant auth scheme?

    Thanks in advance
    Hi there,

    If you want to restrict it to the domain joiend computers and users then you need to create additional security group on the domain which contains the users you want to be able to connect the wireless network and the same for the computers. You then use these groups in the IAS policy rather than domain users or domain computers.

    Ash.

  3. #3
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    16
    Hi Ash,

    Thanks for the reply.

    I am aware that the groupings are restrictive by nature, and that the domain comp and domain user allows any computer in the domain to access the WiFi.

    My question is not so much:

    How can i only allow a select range of users to access the WiFi via Raduis authentication

    But Rather:

    How i stop non-domain joined devices from joining the WiFi via Radius authentication
    Example: A student brings in ipod/iphone and finds WLAN "Devices Network", when trying to join this network the i-device will state "this certificate is not trusted, accept anyway?", which they do, passing on their valid AD credentials. And there you go ... access. And to explain the "device network" has laptop trolley's etc.

    Thanks again

  4. #4
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    41
    If you want to keep the policy using Domain Computers and Domain Users then i think you will be hard pushed to stop non-domain devices from joining because you allowed for anyone who know user AD credentials to login. You may have to go down the route of using ACLs.

    Here what we do is to have a security group which we add all the computers and users we wish to grant access and use this group in the policy. Few users are granted access and yes if that user is granted access then they can get in via any device (domain and non-domain devices). Instead of granting access to AD Users, if they really need access via a non-domain device then we issue a guest pass.

  5. #5

    Join Date
    Jan 2008
    Location
    Kingston Upon Thames
    Posts
    102
    Thank Post
    11
    Thanked 22 Times in 20 Posts
    Rep Power
    16
    Hi Amfony,

    We have a very similar setup here with a nice brand new Ruckus setup.

    We setup our IAS server to allow only <domain>\Domain Computers, and no users (except admins, but thats for troubleshooting).

    In the wireless settings under group policy, under the 802.1x tab, there is an option for authentication mode. It is usually set to computer or user by default, but if you change it to computer only, it will authenticate the computers not the user.

    The only down-side is, under XP, this can only be done through GP, and not locally. Vista and 7 this option can be set locally as well.

    When we get the Ruckus fully installed over Easter, we will also make the RADIUS SSID hidden, which should help as well.

    Hope this helps,
    David
    Last edited by dyoung5; 15th March 2010 at 08:51 AM. Reason: added last line

  6. #6
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    41
    Quote Originally Posted by dyoung5 View Post
    Hi Amfony,

    We have a very similar setup here with a nice brand new Ruckus setup.

    We setup our IAS server to allow only <domain>\Domain Computers, and no users (except admins, but thats for troubleshooting).

    In the wireless settings under group policy, under the 802.1x tab, there is an option for authentication mode. It is usually set to computer or user by default, but if you change it to computer only, it will authenticate the computers not the user.

    The only down-side is, under XP, this can only be done through GP, and not locally. Vista and 7 this option can be set locally as well.

    When we get the Ruckus fully installed over Easter, we will also make the RADIUS SSID hidden, which should help as well.

    Hope this helps,
    David
    There is a reg hack that you can do on xp machines.

  7. #7

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    732
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    The only other way i think you may be able to do it would be to use the mac address filtering on the APs - yes i know its easy to forge these but at least it makes it harder. When this is done, the iphone's NIC's mac will not be in the list of allowed mac and therefore it won't present the cert and authentication prompt.

    on the side note, on my guide that i wrote for configuring radius with 802.1x authentication for ias the registry hack to only do computer authentication is there somewhere - i think its called machine authentication or something similar in the guide.

    Ash.

  8. #8
    HCC
    HCC is offline
    HCC's Avatar
    Join Date
    Jan 2009
    Location
    East Sussex
    Posts
    115
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    11
    I've just noticed this too with the same setup.

    Has anyone managed to add a list of allowed MACs to IAS? I'm not sure how.

    I found the option in Ruckus L2/MAC Access Control but this is limited to 128 entries.

    I've seen the option to add MAC control to DHCP, but I'm sure this would be a bigger headache because then I would have to add all the MACs from every computer and device and there are a lot...

SHARE:
+ Post New Thread

Similar Threads

  1. NPS/Radius authentication with wireless clients using 2008 R2
    By ranj in forum Windows Server 2008 R2
    Replies: 7
    Last Post: 26th April 2010, 11:49 AM
  2. BBC Technology - iPods for every student
    By theeldergeek in forum General Chat
    Replies: 14
    Last Post: 14th December 2009, 01:17 PM
  3. Ipods in DHCP
    By dalsoth in forum Windows
    Replies: 10
    Last Post: 23rd October 2009, 03:03 PM
  4. Aruba Machine Auth (RADIUS)
    By ScottStevinson in forum Wireless Networks
    Replies: 4
    Last Post: 28th August 2008, 07:34 PM
  5. Replies: 3
    Last Post: 30th April 2007, 10:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •