Enterprise wireless authentication for handheld devices

ogexperts
ogexperts used Ask the Experts™
on
Dear Experts

I am in the process of implementing a new, secure wireless infrastructure using Cisco wireless access points with WPA2, Windows Server 2008 R2 Enterprise CA and Windows Server 2008 R2 NPS.

For my Windows 7 computers which are members of my Active Directory, the setup is working fine.
I used a self-signed internal certificate and published the certificate to all client's Trusted Root.
Configured my NPS Network Policy with PEAP authentication.
A wireless GPO is pushed to the client. This policy forces Computer Authentication. The NPS policy is checking that the computer is member of a particular group as part of the authentication process.


We also have a number of handheld devices in my organisation, mainly Blackberry and iPad.
I was planning on using MAC address authentication for these devices and I read that this should be possible by creating AD accounts with username & password = MAC address of the device.

Is it possible to achieve seamless authentication for these devices (meaning that the device is automatically sending its MAC address as username/password) or is there no way around typing in a username/password (in my case, the MAC address)?

If that is indeed possible, what type of Network Request Policy/Network Policies should be confirmed to accomplish this?

Would greatly appreciate some advice around this.

Kind regards,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I've done several implementations of WPA2e, which works fine on the iPad once you've got the certificate on there. To do this use the iPhone Configuration Utility http://support.apple.com/kb/DL1466. I've also done a Guest Wireless network that terminated directly onto the firewall and used a VPN client to access the internal network.

If however you want to be able to use bonjour to connect an iPad to an AppleTV for presentations, you need to be on the same subnet, and so a Cisco IPSec or Anyconnect VPN wouldn't be suitable. You could however have each AppleTV on its own SSID on a non routed subnet which could be "open"

MAC addresses are far too easy to spoof....

Author

Commented:
Many thanks for your reply.

Without actually having tested the iPhone Configuration Utility, I guess exporting my self-signed root certificate and importing it onto the iPad seems like a possibility.

Not sure if the same is possible with a Blackberry handheld?

As mentioned in my original post, on my Windows clients I use the computer account for authentication. The reason behind that is to prevent people connecting personal computers and handheld devices to my wireless network. Using the domain user account for authentication will enable this possibility (at least if they also managed to export the root certificate from a company issued computer).

Going back to the handheld devices, importing the certificate will not solve the authentication part. That is why I was hoping that MAC address authentication would be possible in a seamless manner.


Do you know if it is possible to achieve this such that a user with a company issues handheld device can just connect to the wireless network as long as there is an Active Directory user account for the device's MAC address?
I would setup two SSIDs

one SSID for the windows laptops using machine auth.
I would get this up and running first

one SSIFD using username and password for the iPads
From memory (its been a while) you can put all of the settings into the profile and hide the profile from the user.

MAC auth requires a RADIUS server to have an account for the MAC address, how this would work with AD where it would also need a password I'm not sure...

What resources on your LAN do you want the iPads and Blackberries to be able to connect to ?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

You can apparently do certificate based auth on iPhone

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf 

Document page 18

Author

Commented:
I have one SSID and I have successfully tested it with a domain computer account for authentication. So that portion is pretty much covered.


I read in various forum posts that for MAC address authentication with AD, you create a new user account where the username and the password should both be the same as the MAC address.
I have been able to connect a Blackberry handheld to the same network by manually logging in with that MAC address username and password, but creating MAC address based usernames are kind of pointless unless the login process is automatic without the need to key in the details.

There are various internal intranet related resources I would need to provide access to on the handheld devices as well as possibly VoIP "softphone".

Thanks for the iPhone OS Deployment Guide. I am pretty sure that will work as described, but it means I need to enable user account authentication (rather than computer account).
I would create another SSID for the iPads, that way you won't "break" the machine auth SSID

The iPhone doc intimates that you can store a username and password, and also intimates that you can store a certificate and do machine auth.

if you have to do manual auth on the blackberry, and you do not want users to be able to connect using anything else, I would suggest not allowing Blackberry, or only them onto a "guest" SSID that used a "portal" with a daily/weekly/monthly changing key for Internet access.

I know what your trying to do technically, but I'm missing a lot of context. With issues such as these, context is key, as other people might have had a similar issue that they solved in a completely different way.

As a for instance, if you were doing this so that iPads could access a specific internal application over a WiFi network in the office, I might suggest to have a WPA2 login on an SSID that terminates on the firewall with an ACL so that their traffic can only reach that application and possibly your internal Exchange web server for email access. This would prevent anyone trying to use any other device by the virtue of it being useless for browsing the internet...

You might put in a MAC filter on a firewall or router, or use a "portal" application to provide access etc etc etc
@araberuni the aim is to do machine/certificate auth, not username/password auth...

Author

Commented:
ArneLovius

Many thanks again for your suggestions and comments. Much appreciated.
I had a look at the iPhone Configuration Utility today. I created a Configuration Profile and installed it on an iPad and it seems to be working fine. Also, it seems that all the settings configured in the profile are hidden, so this makes it easier for me to create a random username/password specifically for the iPads.

It won't give me machine authentication, but at least I can hide the login details in the profile.

I can obviously still proceed to create a separate SSID for handhelds, but regardless it will not "break" anything I already have in place.

I'll do some additional research to see if something similar can be done for my Blackberry handhelds using our BES.
That's great to hear :-)

I know its not machine auth, but hopefully it will be a goof enough analog

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial