Avatar of ogexperts
ogexperts
 asked on

Enterprise wireless authentication for handheld devices

Dear Experts

I am in the process of implementing a new, secure wireless infrastructure using Cisco wireless access points with WPA2, Windows Server 2008 R2 Enterprise CA and Windows Server 2008 R2 NPS.

For my Windows 7 computers which are members of my Active Directory, the setup is working fine.
I used a self-signed internal certificate and published the certificate to all client's Trusted Root.
Configured my NPS Network Policy with PEAP authentication.
A wireless GPO is pushed to the client. This policy forces Computer Authentication. The NPS policy is checking that the computer is member of a particular group as part of the authentication process.


We also have a number of handheld devices in my organisation, mainly Blackberry and iPad.
I was planning on using MAC address authentication for these devices and I read that this should be possible by creating AD accounts with username & password = MAC address of the device.

Is it possible to achieve seamless authentication for these devices (meaning that the device is automatically sending its MAC address as username/password) or is there no way around typing in a username/password (in my case, the MAC address)?

If that is indeed possible, what type of Network Request Policy/Network Policies should be confirmed to accomplish this?

Would greatly appreciate some advice around this.

Kind regards,
Wireless NetworkingNetwork Security

Avatar of undefined
Last Comment
ArneLovius

8/22/2022 - Mon
SOLUTION
ArneLovius

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ogexperts

ASKER
Many thanks for your reply.

Without actually having tested the iPhone Configuration Utility, I guess exporting my self-signed root certificate and importing it onto the iPad seems like a possibility.

Not sure if the same is possible with a Blackberry handheld?

As mentioned in my original post, on my Windows clients I use the computer account for authentication. The reason behind that is to prevent people connecting personal computers and handheld devices to my wireless network. Using the domain user account for authentication will enable this possibility (at least if they also managed to export the root certificate from a company issued computer).

Going back to the handheld devices, importing the certificate will not solve the authentication part. That is why I was hoping that MAC address authentication would be possible in a seamless manner.


Do you know if it is possible to achieve this such that a user with a company issues handheld device can just connect to the wireless network as long as there is an Active Directory user account for the device's MAC address?
SOLUTION
ArneLovius

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ogexperts

ASKER
I have one SSID and I have successfully tested it with a domain computer account for authentication. So that portion is pretty much covered.


I read in various forum posts that for MAC address authentication with AD, you create a new user account where the username and the password should both be the same as the MAC address.
I have been able to connect a Blackberry handheld to the same network by manually logging in with that MAC address username and password, but creating MAC address based usernames are kind of pointless unless the login process is automatic without the need to key in the details.

There are various internal intranet related resources I would need to provide access to on the handheld devices as well as possibly VoIP "softphone".

Thanks for the iPhone OS Deployment Guide. I am pretty sure that will work as described, but it means I need to enable user account authentication (rather than computer account).
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
araberuni

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ArneLovius

@araberuni the aim is to do machine/certificate auth, not username/password auth...
ogexperts

ASKER
ArneLovius

Many thanks again for your suggestions and comments. Much appreciated.
I had a look at the iPhone Configuration Utility today. I created a Configuration Profile and installed it on an iPad and it seems to be working fine. Also, it seems that all the settings configured in the profile are hidden, so this makes it easier for me to create a random username/password specifically for the iPads.

It won't give me machine authentication, but at least I can hide the login details in the profile.

I can obviously still proceed to create a separate SSID for handhelds, but regardless it will not "break" anything I already have in place.

I'll do some additional research to see if something similar can be done for my Blackberry handhelds using our BES.
ArneLovius

That's great to hear :-)

I know its not machine auth, but hopefully it will be a goof enough analog
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.