Link to home
Avatar of ogexperts
ogexperts

asked on

Enterprise wireless authentication for handheld devices

Dear Experts

I am in the process of implementing a new, secure wireless infrastructure using Cisco wireless access points with WPA2, Windows Server 2008 R2 Enterprise CA and Windows Server 2008 R2 NPS.

For my Windows 7 computers which are members of my Active Directory, the setup is working fine.
I used a self-signed internal certificate and published the certificate to all client's Trusted Root.
Configured my NPS Network Policy with PEAP authentication.
A wireless GPO is pushed to the client. This policy forces Computer Authentication. The NPS policy is checking that the computer is member of a particular group as part of the authentication process.


We also have a number of handheld devices in my organisation, mainly Blackberry and iPad.
I was planning on using MAC address authentication for these devices and I read that this should be possible by creating AD accounts with username & password = MAC address of the device.

Is it possible to achieve seamless authentication for these devices (meaning that the device is automatically sending its MAC address as username/password) or is there no way around typing in a username/password (in my case, the MAC address)?

If that is indeed possible, what type of Network Request Policy/Network Policies should be confirmed to accomplish this?

Would greatly appreciate some advice around this.

Kind regards,
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of ogexperts
ogexperts

ASKER

Many thanks for your reply.

Without actually having tested the iPhone Configuration Utility, I guess exporting my self-signed root certificate and importing it onto the iPad seems like a possibility.

Not sure if the same is possible with a Blackberry handheld?

As mentioned in my original post, on my Windows clients I use the computer account for authentication. The reason behind that is to prevent people connecting personal computers and handheld devices to my wireless network. Using the domain user account for authentication will enable this possibility (at least if they also managed to export the root certificate from a company issued computer).

Going back to the handheld devices, importing the certificate will not solve the authentication part. That is why I was hoping that MAC address authentication would be possible in a seamless manner.


Do you know if it is possible to achieve this such that a user with a company issues handheld device can just connect to the wireless network as long as there is an Active Directory user account for the device's MAC address?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I have one SSID and I have successfully tested it with a domain computer account for authentication. So that portion is pretty much covered.


I read in various forum posts that for MAC address authentication with AD, you create a new user account where the username and the password should both be the same as the MAC address.
I have been able to connect a Blackberry handheld to the same network by manually logging in with that MAC address username and password, but creating MAC address based usernames are kind of pointless unless the login process is automatic without the need to key in the details.

There are various internal intranet related resources I would need to provide access to on the handheld devices as well as possibly VoIP "softphone".

Thanks for the iPhone OS Deployment Guide. I am pretty sure that will work as described, but it means I need to enable user account authentication (rather than computer account).
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
@araberuni the aim is to do machine/certificate auth, not username/password auth...
ArneLovius

Many thanks again for your suggestions and comments. Much appreciated.
I had a look at the iPhone Configuration Utility today. I created a Configuration Profile and installed it on an iPad and it seems to be working fine. Also, it seems that all the settings configured in the profile are hidden, so this makes it easier for me to create a random username/password specifically for the iPads.

It won't give me machine authentication, but at least I can hide the login details in the profile.

I can obviously still proceed to create a separate SSID for handhelds, but regardless it will not "break" anything I already have in place.

I'll do some additional research to see if something similar can be done for my Blackberry handhelds using our BES.
That's great to hear :-)

I know its not machine auth, but hopefully it will be a goof enough analog