Restrict NPS users to one device

Posted on 2013-05-16
Last Modified: 2013-05-21
I have NPS/RADIUS set up with Aerohive APs.

There are three SSIDs, Prod, iPad and Guest. There is a wireless profile pushed out by group policy which allows domain computers to connect to the Prod SSID. Staff connect their company provided iPads to the iPad SSID using domain credentials and are placed on a specific VLAN (same VLAN as their domain laptops) using Radius policies.

For BYOD such as phones and personal tablets etc, they are supposed to use the Guest SSID which has a unique PSK given to each user.

However, due users being users, some dont connect to the Guest SSID and instead log onto the iPad SSID because at the moment Windows and even Aerohive at the moment can't distinguish between iPads and Phones (I don't want to go into this).

My question: How do I restrict the number of devices/connections per user on the iPad network for staff? They should only have one iPad each, and should only be connecting their one iPad to the iPad network. If I limit their connections to 1, they will not be able to connect using phones etc and will thus be forced to use the proper Guest network.

I haven't had much luck Googling this, hoping an NPS expert will have some idea.

Question by:Gostega
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39175503
I suggest you start using PPSK instead of Radius with Aerohive so you can bind PSK's to devices.
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39175628
PSK is NOT the way to go for corporate users. PSKs leak, can be hacked using social engineering.

If you intend to stick with NPS as authentication server, you have only the option of moving to PEAP-TLS/EAP-TLS and authenticate using certificates rather than PEAP-MsChapV2 as you have now.

But then you have to enroll certificates. BUT - this is no big of an issue, and there's plenty of blogs explaining this.
As a last resort, not recommended - is to use Machine authentication only - then domain joined computers use their usernames and passwords in domain to log on - but then you haven't got the users visibility and 2factor authentication as you might have with machine and user

Or - you can look into 3rd party AAA solutions, like Aruba Clearpass - but be warned, they could end up being pricey :-)
LVL 46

Expert Comment

by:Craig Beck
ID: 39175773
You should be very specific in your policies to enforce certain restrictions on how users can connect and what they can connect to where.

As jakob said, you need to investigate the possibility of authenticating the iPads via X.509 certificate.  This will mean you can lock down access to the SSID to allow only EAP-TLS logins.

If you decide to lock down the policies you should consider including the Called-Station-ID RADIUS attribute to specify the SSID that the connection comes from, and also the authentication method.  This way you can create a policy which says if a user connects to 'Prod' they must be presenting a certificate via EAP-TLS and the machine group must be 'Domain Computers', for example.

You could also do this for other SSIDs and protocols, based on many different criteria.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 39176576
Thanks to everyone who responded
henkva - I can already bind PSKs to devices if I so wish. However, I want to allow staff to connect their iPads using their domain credentials.

jakob_di - thanks for your advice, but that is no longer the case with today's technology. I can have a unique PSK for each user, which is bound to one device (the first device they enter it on) using Aerohive. However, I don't want to do this as it's troublesome to keep generating PSKs if they change their device or want an additional device connected.
Another reason is we are initiating a student BYOD program where students bring their own iPads in. We have over 2k students, and multiple leaving/joining throughout the year. I don't want to have to generate so many PSKs and keep updating/deleting them. Also, I am not worried about the domain side. I am already using machine auth only for that. What I need to do is restrict how many non-domain mobile devices are connecting, per user, to the iPad SSID.

craigbeck - thanks for your advice. The policies are already locked down on the domain PC side. Only machines joined to the domain and in a particular group (machine-auth) can connect to 'Prod'. However, I am wanting to know about options for the 'iPad' SSID side, where users are connecting to the 'iPad' SSID using domain credentials with non domain devices (iPads).
Your suggestion of using certificates makes sense - could you advise on the details for this? How are the certs generated? How would I get them onto the iPads?

Also, sorry if I forgot to mention this, we currently have policies where each year group of students goes onto a different VLAN. The same for staff - staff members connecting iPads are placed onto a staff VLAN. Since there is not really any way of controlling the device name or group with BYOD iPads, we have to rely on user credentials to determine who the user is and what VLAN they should be placed onto. Would certificates still enable us to do this?

Thanks again
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
ID: 39176715
OK --- just to make this clear; you need to restrict iOS devices connecting - everything else is working okay?

If you want to deploy certs to iOS devices, you need Network Device Enrollment Service using Cisco Simple Enrollment Protocol.
YOu have some information here:

AeroHive might have some documents on this. I have an integration guide for Cisco ISE and Aruba Clearpass using this ... But they're quite product specific.

I've only done this once; but maybe @CraigBeck have som more to add; i think he's done this in more deployments than me ...

Author Comment

ID: 39176815
Yes, everything is working fine, except currently teachers and students are connecting their phones (and Android tablets etc) to the iPad SSID. We only want them to connect 1x iPad to to that SSID. All other personal devices they should fill out an application and we give them a unique device bound PSK. Domain machines are not an issue since they connect via machine auth to the Prod SSID (wireless profile for that is pushed out by Group Policy)

Regarding getting the certs onto the devices, I will have a read of those resources you linked, thanks. Although I was really hoping for some kind of concurrent device limit policy within NPS but maybe that's asking too much.
LVL 21

Accepted Solution

Jakob Digranes earned 500 total points
ID: 39176822
Yes --- there's, at least for now, no device restriction natively in NPS  ---

Author Closing Comment

ID: 39183874
Thanks for the responses. Seems like there is no way to do what I want natively in NPS.
Using certs for the iPads was suggested as an alternative method, and jakob_di posted some useful links on how to achieve that.

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guest Wireless in a Business Environment 6 121
Cisco WRVS4400N 11 59
Price for Fiber 13 60
Monitoring solutions 8 69
Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question