Go Premium for a chance to win a PS4. Enter to Win


Restrict NPS users to one device

Posted on 2013-05-16
Medium Priority
Last Modified: 2013-05-21
I have NPS/RADIUS set up with Aerohive APs.

There are three SSIDs, Prod, iPad and Guest. There is a wireless profile pushed out by group policy which allows domain computers to connect to the Prod SSID. Staff connect their company provided iPads to the iPad SSID using domain credentials and are placed on a specific VLAN (same VLAN as their domain laptops) using Radius policies.

For BYOD such as phones and personal tablets etc, they are supposed to use the Guest SSID which has a unique PSK given to each user.

However, due users being users, some dont connect to the Guest SSID and instead log onto the iPad SSID because at the moment Windows and even Aerohive at the moment can't distinguish between iPads and Phones (I don't want to go into this).

My question: How do I restrict the number of devices/connections per user on the iPad network for staff? They should only have one iPad each, and should only be connecting their one iPad to the iPad network. If I limit their connections to 1, they will not be able to connect using phones etc and will thus be forced to use the proper Guest network.

I haven't had much luck Googling this, hoping an NPS expert will have some idea.

Question by:Gostega
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39175503
I suggest you start using PPSK instead of Radius with Aerohive so you can bind PSK's to devices.
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39175628
PSK is NOT the way to go for corporate users. PSKs leak, can be hacked using social engineering.

If you intend to stick with NPS as authentication server, you have only the option of moving to PEAP-TLS/EAP-TLS and authenticate using certificates rather than PEAP-MsChapV2 as you have now.

But then you have to enroll certificates. BUT - this is no big of an issue, and there's plenty of blogs explaining this.
As a last resort, not recommended - is to use Machine authentication only - then domain joined computers use their usernames and passwords in domain to log on - but then you haven't got the users visibility and 2factor authentication as you might have with machine and user

Or - you can look into 3rd party AAA solutions, like Aruba Clearpass - but be warned, they could end up being pricey :-)
LVL 47

Expert Comment

by:Craig Beck
ID: 39175773
You should be very specific in your policies to enforce certain restrictions on how users can connect and what they can connect to where.

As jakob said, you need to investigate the possibility of authenticating the iPads via X.509 certificate.  This will mean you can lock down access to the SSID to allow only EAP-TLS logins.

If you decide to lock down the policies you should consider including the Called-Station-ID RADIUS attribute to specify the SSID that the connection comes from, and also the authentication method.  This way you can create a policy which says if a user connects to 'Prod' they must be presenting a certificate via EAP-TLS and the machine group must be 'Domain Computers', for example.

You could also do this for other SSIDs and protocols, based on many different criteria.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 39176576
Thanks to everyone who responded
henkva - I can already bind PSKs to devices if I so wish. However, I want to allow staff to connect their iPads using their domain credentials.

jakob_di - thanks for your advice, but that is no longer the case with today's technology. I can have a unique PSK for each user, which is bound to one device (the first device they enter it on) using Aerohive. However, I don't want to do this as it's troublesome to keep generating PSKs if they change their device or want an additional device connected.
Another reason is we are initiating a student BYOD program where students bring their own iPads in. We have over 2k students, and multiple leaving/joining throughout the year. I don't want to have to generate so many PSKs and keep updating/deleting them. Also, I am not worried about the domain side. I am already using machine auth only for that. What I need to do is restrict how many non-domain mobile devices are connecting, per user, to the iPad SSID.

craigbeck - thanks for your advice. The policies are already locked down on the domain PC side. Only machines joined to the domain and in a particular group (machine-auth) can connect to 'Prod'. However, I am wanting to know about options for the 'iPad' SSID side, where users are connecting to the 'iPad' SSID using domain credentials with non domain devices (iPads).
Your suggestion of using certificates makes sense - could you advise on the details for this? How are the certs generated? How would I get them onto the iPads?

Also, sorry if I forgot to mention this, we currently have policies where each year group of students goes onto a different VLAN. The same for staff - staff members connecting iPads are placed onto a staff VLAN. Since there is not really any way of controlling the device name or group with BYOD iPads, we have to rely on user credentials to determine who the user is and what VLAN they should be placed onto. Would certificates still enable us to do this?

Thanks again
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 1500 total points
ID: 39176715
OK --- just to make this clear; you need to restrict iOS devices connecting - everything else is working okay?

If you want to deploy certs to iOS devices, you need Network Device Enrollment Service using Cisco Simple Enrollment Protocol.
YOu have some information here: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

AeroHive might have some documents on this. I have an integration guide for Cisco ISE and Aruba Clearpass using this ... But they're quite product specific.

I've only done this once; but maybe @CraigBeck have som more to add; i think he's done this in more deployments than me ...

Author Comment

ID: 39176815
Yes, everything is working fine, except currently teachers and students are connecting their phones (and Android tablets etc) to the iPad SSID. We only want them to connect 1x iPad to to that SSID. All other personal devices they should fill out an application and we give them a unique device bound PSK. Domain machines are not an issue since they connect via machine auth to the Prod SSID (wireless profile for that is pushed out by Group Policy)

Regarding getting the certs onto the devices, I will have a read of those resources you linked, thanks. Although I was really hoping for some kind of concurrent device limit policy within NPS but maybe that's asking too much.
LVL 22

Accepted Solution

Jakob Digranes earned 1500 total points
ID: 39176822
Yes --- there's, at least for now, no device restriction natively in NPS  ---

Author Closing Comment

ID: 39183874
Thanks for the responses. Seems like there is no way to do what I want natively in NPS.
Using certs for the iPads was suggested as an alternative method, and jakob_di posted some useful links on how to achieve that.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
The Summer 2017 Scholarship Winners have been announced!
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question