Windows 2003 IAS RADIUS for Wifi - Apple iPhone

Hello Experts,

I have a Windows 2003 IAS RADIUS server installed for WiFi in the office. It is configured to sync with Active Directory so it uses Username/Password to Authenticate you to the network. I also configured it to require each domain computer to install a DER x.509 certificate. I have to install this certificate manually going into the Wireless Connections Advance Settings and configure PEAP.

My questions is, my iPhone can see the AP and when it asks for my credentials (username/password), it automatically sees that it needs a certificate. I click the install certificate and bamm I'm connected to the network. Why is it so easy for the iPhone to get the IAS cert installed when I was thinking that this is another layer of security to not just allow the cert to be distributed so freely. Is there a way I can prevent this?

Thanks in advance!
LVL 1
katredrumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dmitri FarafontovLinux Systems AdminCommented:
It is another layer of security yes because it offers traffic encryption. That is the whole point of the certificate. However, if you want to prevent connections you should configure IAS policies.
0
katredrumAuthor Commented:
I want to prevent iPhones from getting on the wifi network. I did setup policies to only allow domain users and domain computers which an iPhone is not.
0
Dmitri FarafontovLinux Systems AdminCommented:
Domain Users = Everybody Who logs onto your Domain, essentially granting everybody Wi-Fi capable logons.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Dmitri FarafontovLinux Systems AdminCommented:
You need to configure IAS policies to limit Wi-Fi capapility to certain groups only. You can further limit it by port type, MAC address.
0
katredrumAuthor Commented:
Is there a way to combine policies such as only allowing Domain Users + Domain Computers?
0
Dmitri FarafontovLinux Systems AdminCommented:
No, because:
1) Domain Users (built in security group) includes everybody with a Domain Account
2) iPhone is not a Workstation (you dont join to domain) and thus do not have a Computer Account
Thus, you need to restrict it by policy on the actual IAS Server. Create a new security group called WiFi Users and adjust IAS to only authenticate those. This way if you are not a member of the particular group you dont get Wi-Fi access. This is the easiest way. Or you are looking something specific?
0
katredrumAuthor Commented:
The problem is that only the tech savvy users are using their iPhones which they are also allowed to use WiFi in the office.

I was hoping I could use the x.509 certificate to prevent devices from accessing our WiFi but the iPhone can easily install the certificate without any restrictions. If I can't deny devices (other than using MAC filters) is there a way to restrict devices such as the iPhone from obtaining the certificate?
0
Dmitri FarafontovLinux Systems AdminCommented:
You cannot use a certificate to prevent connection attempts. Certificate is given out to the clients freely by the IAS server be it desktops or iPhones. Create a user group and place user accounts there who have iPhones. Configure IAS to only accept authorization requests from those groups. You can accomplish that easily through connection poloy.
0
katredrumAuthor Commented:
I don't know if I'm reading your suggestion incorrectly but I am actually trying to prevent all iPhones from using WiFi. They are taking up our company's bandwidth when they have cellular data plans. Is there a way to do this without denying my current user's access when using company assigned laptops?
0
Dmitri FarafontovLinux Systems AdminCommented:
This is a 2003 IAS RADIUS  server configuration, change the connection policy to only allow authorized groups to connect to IAS, and thus Wi-Fi connection. ILet me know if you need any help configuring that portion. Laptops are easier since they have a computer account and you can restrict based on Domain membership. Data Plans iare totally unrelated to the question at hand.
0
katredrumAuthor Commented:
Even if I change the connection policy to only allow authorized groups it will still allow the user's with iPhones to access our WiFi because they are require to have access to WiFi using their laptops.

For example, John requires access to WiFi using his company laptop to do his job. He also has an iPhone.

If I change the connection policy from Domain Users to John's account, he will still be able to use his iPhone to access our WiFi with his domain account.

Is there another way I can configure a connection policy so that John can access WiFi using his laptop but NOT his iPhone?

I was hoping from my current configuration that since the iPhone is NOT a part of the Domain Computers that it will not be able to access our WiFi.
0
Dmitri FarafontovLinux Systems AdminCommented:
Than its simpler than it looks. Configure IAS to allow only Domain Joined laptops. And use computer accounts to authorize Wi-Fi connections. I do assume they are joined. If not post back.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katredrumAuthor Commented:
Perfect! Thanks!
0
Dmitri FarafontovLinux Systems AdminCommented:
Awesome!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.