Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Wireless network and and blocking smart-devices

Posted on 2013-06-11
Medium Priority
Last Modified: 2013-07-05

We have a few wireless networks and one is for our work laptops to connect wirelessly to the network/domain.

The authentication for the corporate network is setup so that only laptops that are members of the domain and users with accounts on the domain, can connect. We tested with laptops that aren’t on the domain and this works i.e. they can’t connect.  We've now just discovered that smartphones and tablets can connect. If when prompted they input a valid domain username and password.

We had this all setup for us and as I understand the authentication is done via a 2008 r2 server running Radius from the NPS role. Or, is the authentication/security set on the HP Wireless controller the model is E-MSM720?

I know it's not much info but does anyone know how we block smart-devices, so they're blocked like laptops (not on our domain) from connecting to our domain via wireless.

Question by:kswan_expert
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 39240057
I think i may have worked this out - under "Network Policies" on the RADIUS server the "conditions" for "Windows Groups" list a user group. I'm going to change this to "domain computers" only and remove all other groups.  This still doesn't explain tho, why smart-devices can attach and non-domain attached laptops cannot??

Any ideas?
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39240793
Your NPS is set up yo allow members of Domain Computers OR domain users.
So smart phone with user credentials will be authenticated using Domain Users credentials.
In fact you could also connect a non-domain joined PC using User Credentials aswell - if you set it up properly.

If you remove domain users - then you will not have domain users authenticated, only theire PCs...

I use Aruba Wireless where you can create roles, so a authenticated machine only gives you access to domain controllers  to authenticate, and you need both machine authentication AND user authentication to be able to get full access. User AUthentication only only gives you access to guest netowrk. But this is Aruba Specific settings ...

YOu could however move over to EAP-TLS and use certificates, but that might be a bit cumbersome
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39240794
Non domain windows laptops won't be able to without the right cert. if I'm right, try an osx laptop and it should connect.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 22

Expert Comment

by:Jakob Digranes
ID: 39240801
based on what you write, you use PEAP-MsChap authentication (no certs, only username and password) - so non-domains PCs would connect set up manually and correctly --- and - as aarontomosky says; an OSx would connexct automatically :-) ----
EAP-TLS is what you need
LVL 47

Expert Comment

by:Craig Beck
ID: 39240843
jakob_di is on the money!

Author Comment

ID: 39252197
Thanks for replies guys and you're right we could connect a laptop with some tweaking.

I tried changing to Domain computers only (removing Domain users) and this stopped all access. i had to add back the 2 initial groups.

Whats' the easiest way to restrict this to Domain PCs only. I did think what i tried would work.

LVL 22

Expert Comment

by:Jakob Digranes
ID: 39252416
if you change to domain computers, but client PCs are setup to use User Authentication - then this would fail. You need to create a wireless profile on Windows PC that matches the policy; i.e - using machine authentication.

The next best thing would be certificates - but then you need a working PKI-infrastructure and enroll certificates to ALL devices needing access

Author Comment

ID: 39258372
Thanks Jakob, that makes sense.

Can you humour me pse.

On a Win7 PC I've had a look at the Wireless profile on the laptop and on the "Connection" tab it has

Name:                             banana
SSID:                               banana
Network Type                Access Point
Network Availability     All users

and "Connect automatically when this network is in range" is ticked.

When i go to the "Security" tab and select "Advanced Settings" under "specify authentication mode" the option "User or Computer Authentication" is selected.

Surely when i set Radius so that in “Windows Groups”  for Network Policies the only entry was “Domain Computers”, this should have worked?? It didn’t, we couldn’t connect.  

Also when do I use “Machine Groups” vs “Windows Groups” ??

Cheers for your assistance, appreciate it.
LVL 22

Accepted Solution

Jakob Digranes earned 2000 total points
ID: 39258545
if you deploy machine AND user re-authentication use machine and user groups.
if you deploy machine authentication only, use machine groups
if you deploy user authentication only, use user groups

you can however you Windows groups for all as well. The client sets this.

If you set client to Computer authentication then you "force" it to only authenticate as HOST --
otherwise, you'd have to rely on Windows to figure this out - and surely, Win 7 aren't always that smart

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question