Solved

Restrict NPS users to one device

Posted on 2013-05-16
8
3,119 Views
Last Modified: 2013-05-21
I have NPS/RADIUS set up with Aerohive APs.

There are three SSIDs, Prod, iPad and Guest. There is a wireless profile pushed out by group policy which allows domain computers to connect to the Prod SSID. Staff connect their company provided iPads to the iPad SSID using domain credentials and are placed on a specific VLAN (same VLAN as their domain laptops) using Radius policies.

For BYOD such as phones and personal tablets etc, they are supposed to use the Guest SSID which has a unique PSK given to each user.

However, due users being users, some dont connect to the Guest SSID and instead log onto the iPad SSID because at the moment Windows and even Aerohive at the moment can't distinguish between iPads and Phones (I don't want to go into this).

My question: How do I restrict the number of devices/connections per user on the iPad network for staff? They should only have one iPad each, and should only be connecting their one iPad to the iPad network. If I limit their connections to 1, they will not be able to connect using phones etc and will thus be forced to use the proper Guest network.

I haven't had much luck Googling this, hoping an NPS expert will have some idea.

Thanks!
0
Comment
Question by:Gostega
8 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
I suggest you start using PPSK instead of Radius with Aerohive so you can bind PSK's to devices.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
PSK is NOT the way to go for corporate users. PSKs leak, can be hacked using social engineering.

If you intend to stick with NPS as authentication server, you have only the option of moving to PEAP-TLS/EAP-TLS and authenticate using certificates rather than PEAP-MsChapV2 as you have now.

But then you have to enroll certificates. BUT - this is no big of an issue, and there's plenty of blogs explaining this.
As a last resort, not recommended - is to use Machine authentication only - then domain joined computers use their usernames and passwords in domain to log on - but then you haven't got the users visibility and 2factor authentication as you might have with machine and user

Or - you can look into 3rd party AAA solutions, like Aruba Clearpass - but be warned, they could end up being pricey :-)
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
You should be very specific in your policies to enforce certain restrictions on how users can connect and what they can connect to where.

As jakob said, you need to investigate the possibility of authenticating the iPads via X.509 certificate.  This will mean you can lock down access to the SSID to allow only EAP-TLS logins.

If you decide to lock down the policies you should consider including the Called-Station-ID RADIUS attribute to specify the SSID that the connection comes from, and also the authentication method.  This way you can create a policy which says if a user connects to 'Prod' they must be presenting a certificate via EAP-TLS and the machine group must be 'Domain Computers', for example.

You could also do this for other SSIDs and protocols, based on many different criteria.
0
 

Author Comment

by:Gostega
Comment Utility
Thanks to everyone who responded
henkva - I can already bind PSKs to devices if I so wish. However, I want to allow staff to connect their iPads using their domain credentials.

jakob_di - thanks for your advice, but that is no longer the case with today's technology. I can have a unique PSK for each user, which is bound to one device (the first device they enter it on) using Aerohive. However, I don't want to do this as it's troublesome to keep generating PSKs if they change their device or want an additional device connected.
Another reason is we are initiating a student BYOD program where students bring their own iPads in. We have over 2k students, and multiple leaving/joining throughout the year. I don't want to have to generate so many PSKs and keep updating/deleting them. Also, I am not worried about the domain side. I am already using machine auth only for that. What I need to do is restrict how many non-domain mobile devices are connecting, per user, to the iPad SSID.

craigbeck - thanks for your advice. The policies are already locked down on the domain PC side. Only machines joined to the domain and in a particular group (machine-auth) can connect to 'Prod'. However, I am wanting to know about options for the 'iPad' SSID side, where users are connecting to the 'iPad' SSID using domain credentials with non domain devices (iPads).
Your suggestion of using certificates makes sense - could you advise on the details for this? How are the certs generated? How would I get them onto the iPads?

Also, sorry if I forgot to mention this, we currently have policies where each year group of students goes onto a different VLAN. The same for staff - staff members connecting iPads are placed onto a staff VLAN. Since there is not really any way of controlling the device name or group with BYOD iPads, we have to rely on user credentials to determine who the user is and what VLAN they should be placed onto. Would certificates still enable us to do this?

Thanks again
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
Comment Utility
OK --- just to make this clear; you need to restrict iOS devices connecting - everything else is working okay?

If you want to deploy certs to iOS devices, you need Network Device Enrollment Service using Cisco Simple Enrollment Protocol.
YOu have some information here: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=1607

AeroHive might have some documents on this. I have an integration guide for Cisco ISE and Aruba Clearpass using this ... But they're quite product specific.



I've only done this once; but maybe @CraigBeck have som more to add; i think he's done this in more deployments than me ...
0
 

Author Comment

by:Gostega
Comment Utility
Yes, everything is working fine, except currently teachers and students are connecting their phones (and Android tablets etc) to the iPad SSID. We only want them to connect 1x iPad to to that SSID. All other personal devices they should fill out an application and we give them a unique device bound PSK. Domain machines are not an issue since they connect via machine auth to the Prod SSID (wireless profile for that is pushed out by Group Policy)

Regarding getting the certs onto the devices, I will have a read of those resources you linked, thanks. Although I was really hoping for some kind of concurrent device limit policy within NPS but maybe that's asking too much.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 500 total points
Comment Utility
Yes --- there's, at least for now, no device restriction natively in NPS  ---
0
 

Author Closing Comment

by:Gostega
Comment Utility
Thanks for the responses. Seems like there is no way to do what I want natively in NPS.
Using certs for the iPads was suggested as an alternative method, and jakob_di posted some useful links on how to achieve that.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now