Restrict NPS users to one device

I have NPS/RADIUS set up with Aerohive APs.

There are three SSIDs, Prod, iPad and Guest. There is a wireless profile pushed out by group policy which allows domain computers to connect to the Prod SSID. Staff connect their company provided iPads to the iPad SSID using domain credentials and are placed on a specific VLAN (same VLAN as their domain laptops) using Radius policies.

For BYOD such as phones and personal tablets etc, they are supposed to use the Guest SSID which has a unique PSK given to each user.

However, due users being users, some dont connect to the Guest SSID and instead log onto the iPad SSID because at the moment Windows and even Aerohive at the moment can't distinguish between iPads and Phones (I don't want to go into this).

My question: How do I restrict the number of devices/connections per user on the iPad network for staff? They should only have one iPad each, and should only be connecting their one iPad to the iPad network. If I limit their connections to 1, they will not be able to connect using phones etc and will thus be forced to use the proper Guest network.

I haven't had much luck Googling this, hoping an NPS expert will have some idea.

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
Yes --- there's, at least for now, no device restriction natively in NPS  ---
Henk van AchterbergSr. Technical ConsultantCommented:
I suggest you start using PPSK instead of Radius with Aerohive so you can bind PSK's to devices.
Jakob DigranesSenior ConsultantCommented:
PSK is NOT the way to go for corporate users. PSKs leak, can be hacked using social engineering.

If you intend to stick with NPS as authentication server, you have only the option of moving to PEAP-TLS/EAP-TLS and authenticate using certificates rather than PEAP-MsChapV2 as you have now.

But then you have to enroll certificates. BUT - this is no big of an issue, and there's plenty of blogs explaining this.
As a last resort, not recommended - is to use Machine authentication only - then domain joined computers use their usernames and passwords in domain to log on - but then you haven't got the users visibility and 2factor authentication as you might have with machine and user

Or - you can look into 3rd party AAA solutions, like Aruba Clearpass - but be warned, they could end up being pricey :-)
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Craig BeckCommented:
You should be very specific in your policies to enforce certain restrictions on how users can connect and what they can connect to where.

As jakob said, you need to investigate the possibility of authenticating the iPads via X.509 certificate.  This will mean you can lock down access to the SSID to allow only EAP-TLS logins.

If you decide to lock down the policies you should consider including the Called-Station-ID RADIUS attribute to specify the SSID that the connection comes from, and also the authentication method.  This way you can create a policy which says if a user connects to 'Prod' they must be presenting a certificate via EAP-TLS and the machine group must be 'Domain Computers', for example.

You could also do this for other SSIDs and protocols, based on many different criteria.
GostegaAuthor Commented:
Thanks to everyone who responded
henkva - I can already bind PSKs to devices if I so wish. However, I want to allow staff to connect their iPads using their domain credentials.

jakob_di - thanks for your advice, but that is no longer the case with today's technology. I can have a unique PSK for each user, which is bound to one device (the first device they enter it on) using Aerohive. However, I don't want to do this as it's troublesome to keep generating PSKs if they change their device or want an additional device connected.
Another reason is we are initiating a student BYOD program where students bring their own iPads in. We have over 2k students, and multiple leaving/joining throughout the year. I don't want to have to generate so many PSKs and keep updating/deleting them. Also, I am not worried about the domain side. I am already using machine auth only for that. What I need to do is restrict how many non-domain mobile devices are connecting, per user, to the iPad SSID.

craigbeck - thanks for your advice. The policies are already locked down on the domain PC side. Only machines joined to the domain and in a particular group (machine-auth) can connect to 'Prod'. However, I am wanting to know about options for the 'iPad' SSID side, where users are connecting to the 'iPad' SSID using domain credentials with non domain devices (iPads).
Your suggestion of using certificates makes sense - could you advise on the details for this? How are the certs generated? How would I get them onto the iPads?

Also, sorry if I forgot to mention this, we currently have policies where each year group of students goes onto a different VLAN. The same for staff - staff members connecting iPads are placed onto a staff VLAN. Since there is not really any way of controlling the device name or group with BYOD iPads, we have to rely on user credentials to determine who the user is and what VLAN they should be placed onto. Would certificates still enable us to do this?

Thanks again
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
OK --- just to make this clear; you need to restrict iOS devices connecting - everything else is working okay?

If you want to deploy certs to iOS devices, you need Network Device Enrollment Service using Cisco Simple Enrollment Protocol.
YOu have some information here:

AeroHive might have some documents on this. I have an integration guide for Cisco ISE and Aruba Clearpass using this ... But they're quite product specific.

I've only done this once; but maybe @CraigBeck have som more to add; i think he's done this in more deployments than me ...
GostegaAuthor Commented:
Yes, everything is working fine, except currently teachers and students are connecting their phones (and Android tablets etc) to the iPad SSID. We only want them to connect 1x iPad to to that SSID. All other personal devices they should fill out an application and we give them a unique device bound PSK. Domain machines are not an issue since they connect via machine auth to the Prod SSID (wireless profile for that is pushed out by Group Policy)

Regarding getting the certs onto the devices, I will have a read of those resources you linked, thanks. Although I was really hoping for some kind of concurrent device limit policy within NPS but maybe that's asking too much.
GostegaAuthor Commented:
Thanks for the responses. Seems like there is no way to do what I want natively in NPS.
Using certs for the iPads was suggested as an alternative method, and jakob_di posted some useful links on how to achieve that.
All Courses

From novice to tech pro — start learning today.