[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Windows 2003 IAS RADIUS for Wifi - Apple iPhone

Posted on 2010-04-06
14
Medium Priority
?
2,220 Views
Last Modified: 2012-05-09
Hello Experts,

I have a Windows 2003 IAS RADIUS server installed for WiFi in the office. It is configured to sync with Active Directory so it uses Username/Password to Authenticate you to the network. I also configured it to require each domain computer to install a DER x.509 certificate. I have to install this certificate manually going into the Wireless Connections Advance Settings and configure PEAP.

My questions is, my iPhone can see the AP and when it asks for my credentials (username/password), it automatically sees that it needs a certificate. I click the install certificate and bamm I'm connected to the network. Why is it so easy for the iPhone to get the IAS cert installed when I was thinking that this is another layer of security to not just allow the cert to be distributed so freely. Is there a way I can prevent this?

Thanks in advance!
0
Comment
Question by:katredrum
  • 8
  • 6
14 Comments
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30210798
It is another layer of security yes because it offers traffic encryption. That is the whole point of the certificate. However, if you want to prevent connections you should configure IAS policies.
0
 
LVL 1

Author Comment

by:katredrum
ID: 30219633
I want to prevent iPhones from getting on the wifi network. I did setup policies to only allow domain users and domain computers which an iPhone is not.
0
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30219923
Domain Users = Everybody Who logs onto your Domain, essentially granting everybody Wi-Fi capable logons.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30220279
You need to configure IAS policies to limit Wi-Fi capapility to certain groups only. You can further limit it by port type, MAC address.
0
 
LVL 1

Author Comment

by:katredrum
ID: 30226806
Is there a way to combine policies such as only allowing Domain Users + Domain Computers?
0
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30227115
No, because:
1) Domain Users (built in security group) includes everybody with a Domain Account
2) iPhone is not a Workstation (you dont join to domain) and thus do not have a Computer Account
Thus, you need to restrict it by policy on the actual IAS Server. Create a new security group called WiFi Users and adjust IAS to only authenticate those. This way if you are not a member of the particular group you dont get Wi-Fi access. This is the easiest way. Or you are looking something specific?
0
 
LVL 1

Author Comment

by:katredrum
ID: 30228418
The problem is that only the tech savvy users are using their iPhones which they are also allowed to use WiFi in the office.

I was hoping I could use the x.509 certificate to prevent devices from accessing our WiFi but the iPhone can easily install the certificate without any restrictions. If I can't deny devices (other than using MAC filters) is there a way to restrict devices such as the iPhone from obtaining the certificate?
0
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30229033
You cannot use a certificate to prevent connection attempts. Certificate is given out to the clients freely by the IAS server be it desktops or iPhones. Create a user group and place user accounts there who have iPhones. Configure IAS to only accept authorization requests from those groups. You can accomplish that easily through connection poloy.
0
 
LVL 1

Author Comment

by:katredrum
ID: 30229589
I don't know if I'm reading your suggestion incorrectly but I am actually trying to prevent all iPhones from using WiFi. They are taking up our company's bandwidth when they have cellular data plans. Is there a way to do this without denying my current user's access when using company assigned laptops?
0
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30229913
This is a 2003 IAS RADIUS  server configuration, change the connection policy to only allow authorized groups to connect to IAS, and thus Wi-Fi connection. ILet me know if you need any help configuring that portion. Laptops are easier since they have a computer account and you can restrict based on Domain membership. Data Plans iare totally unrelated to the question at hand.
0
 
LVL 1

Author Comment

by:katredrum
ID: 30230785
Even if I change the connection policy to only allow authorized groups it will still allow the user's with iPhones to access our WiFi because they are require to have access to WiFi using their laptops.

For example, John requires access to WiFi using his company laptop to do his job. He also has an iPhone.

If I change the connection policy from Domain Users to John's account, he will still be able to use his iPhone to access our WiFi with his domain account.

Is there another way I can configure a connection policy so that John can access WiFi using his laptop but NOT his iPhone?

I was hoping from my current configuration that since the iPhone is NOT a part of the Domain Computers that it will not be able to access our WiFi.
0
 
LVL 13

Accepted Solution

by:
Dmitri Farafontov earned 2000 total points
ID: 30231062
Than its simpler than it looks. Configure IAS to allow only Domain Joined laptops. And use computer accounts to authorize Wi-Fi connections. I do assume they are joined. If not post back.
0
 
LVL 1

Author Closing Comment

by:katredrum
ID: 31711555
Perfect! Thanks!
0
 
LVL 13

Expert Comment

by:Dmitri Farafontov
ID: 30236356
Awesome!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
The Summer 2017 Scholarship Winners have been announced!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question