Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Restrict NPS users to one device

Posted on 2013-05-16
Last Modified: 2013-05-21
I have NPS/RADIUS set up with Aerohive APs.

There are three SSIDs, Prod, iPad and Guest. There is a wireless profile pushed out by group policy which allows domain computers to connect to the Prod SSID. Staff connect their company provided iPads to the iPad SSID using domain credentials and are placed on a specific VLAN (same VLAN as their domain laptops) using Radius policies.

For BYOD such as phones and personal tablets etc, they are supposed to use the Guest SSID which has a unique PSK given to each user.

However, due users being users, some dont connect to the Guest SSID and instead log onto the iPad SSID because at the moment Windows and even Aerohive at the moment can't distinguish between iPads and Phones (I don't want to go into this).

My question: How do I restrict the number of devices/connections per user on the iPad network for staff? They should only have one iPad each, and should only be connecting their one iPad to the iPad network. If I limit their connections to 1, they will not be able to connect using phones etc and will thus be forced to use the proper Guest network.

I haven't had much luck Googling this, hoping an NPS expert will have some idea.

Question by:Gostega
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39175503
I suggest you start using PPSK instead of Radius with Aerohive so you can bind PSK's to devices.
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39175628
PSK is NOT the way to go for corporate users. PSKs leak, can be hacked using social engineering.

If you intend to stick with NPS as authentication server, you have only the option of moving to PEAP-TLS/EAP-TLS and authenticate using certificates rather than PEAP-MsChapV2 as you have now.

But then you have to enroll certificates. BUT - this is no big of an issue, and there's plenty of blogs explaining this.
As a last resort, not recommended - is to use Machine authentication only - then domain joined computers use their usernames and passwords in domain to log on - but then you haven't got the users visibility and 2factor authentication as you might have with machine and user

Or - you can look into 3rd party AAA solutions, like Aruba Clearpass - but be warned, they could end up being pricey :-)
LVL 45

Expert Comment

by:Craig Beck
ID: 39175773
You should be very specific in your policies to enforce certain restrictions on how users can connect and what they can connect to where.

As jakob said, you need to investigate the possibility of authenticating the iPads via X.509 certificate.  This will mean you can lock down access to the SSID to allow only EAP-TLS logins.

If you decide to lock down the policies you should consider including the Called-Station-ID RADIUS attribute to specify the SSID that the connection comes from, and also the authentication method.  This way you can create a policy which says if a user connects to 'Prod' they must be presenting a certificate via EAP-TLS and the machine group must be 'Domain Computers', for example.

You could also do this for other SSIDs and protocols, based on many different criteria.
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Author Comment

ID: 39176576
Thanks to everyone who responded
henkva - I can already bind PSKs to devices if I so wish. However, I want to allow staff to connect their iPads using their domain credentials.

jakob_di - thanks for your advice, but that is no longer the case with today's technology. I can have a unique PSK for each user, which is bound to one device (the first device they enter it on) using Aerohive. However, I don't want to do this as it's troublesome to keep generating PSKs if they change their device or want an additional device connected.
Another reason is we are initiating a student BYOD program where students bring their own iPads in. We have over 2k students, and multiple leaving/joining throughout the year. I don't want to have to generate so many PSKs and keep updating/deleting them. Also, I am not worried about the domain side. I am already using machine auth only for that. What I need to do is restrict how many non-domain mobile devices are connecting, per user, to the iPad SSID.

craigbeck - thanks for your advice. The policies are already locked down on the domain PC side. Only machines joined to the domain and in a particular group (machine-auth) can connect to 'Prod'. However, I am wanting to know about options for the 'iPad' SSID side, where users are connecting to the 'iPad' SSID using domain credentials with non domain devices (iPads).
Your suggestion of using certificates makes sense - could you advise on the details for this? How are the certs generated? How would I get them onto the iPads?

Also, sorry if I forgot to mention this, we currently have policies where each year group of students goes onto a different VLAN. The same for staff - staff members connecting iPads are placed onto a staff VLAN. Since there is not really any way of controlling the device name or group with BYOD iPads, we have to rely on user credentials to determine who the user is and what VLAN they should be placed onto. Would certificates still enable us to do this?

Thanks again
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
ID: 39176715
OK --- just to make this clear; you need to restrict iOS devices connecting - everything else is working okay?

If you want to deploy certs to iOS devices, you need Network Device Enrollment Service using Cisco Simple Enrollment Protocol.
YOu have some information here: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

AeroHive might have some documents on this. I have an integration guide for Cisco ISE and Aruba Clearpass using this ... But they're quite product specific.

I've only done this once; but maybe @CraigBeck have som more to add; i think he's done this in more deployments than me ...

Author Comment

ID: 39176815
Yes, everything is working fine, except currently teachers and students are connecting their phones (and Android tablets etc) to the iPad SSID. We only want them to connect 1x iPad to to that SSID. All other personal devices they should fill out an application and we give them a unique device bound PSK. Domain machines are not an issue since they connect via machine auth to the Prod SSID (wireless profile for that is pushed out by Group Policy)

Regarding getting the certs onto the devices, I will have a read of those resources you linked, thanks. Although I was really hoping for some kind of concurrent device limit policy within NPS but maybe that's asking too much.
LVL 21

Accepted Solution

Jakob Digranes earned 500 total points
ID: 39176822
Yes --- there's, at least for now, no device restriction natively in NPS  ---

Author Closing Comment

ID: 39183874
Thanks for the responses. Seems like there is no way to do what I want natively in NPS.
Using certs for the iPads was suggested as an alternative method, and jakob_di posted some useful links on how to achieve that.

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question