kswan_expert
asked on
Wireless network and and blocking smart-devices
Hi,
We have a few wireless networks and one is for our work laptops to connect wirelessly to the network/domain.
The authentication for the corporate network is setup so that only laptops that are members of the domain and users with accounts on the domain, can connect. We tested with laptops that aren’t on the domain and this works i.e. they can’t connect. We've now just discovered that smartphones and tablets can connect. If when prompted they input a valid domain username and password.
We had this all setup for us and as I understand the authentication is done via a 2008 r2 server running Radius from the NPS role. Or, is the authentication/security set on the HP Wireless controller the model is E-MSM720?
I know it's not much info but does anyone know how we block smart-devices, so they're blocked like laptops (not on our domain) from connecting to our domain via wireless.
Thanks
We have a few wireless networks and one is for our work laptops to connect wirelessly to the network/domain.
The authentication for the corporate network is setup so that only laptops that are members of the domain and users with accounts on the domain, can connect. We tested with laptops that aren’t on the domain and this works i.e. they can’t connect. We've now just discovered that smartphones and tablets can connect. If when prompted they input a valid domain username and password.
We had this all setup for us and as I understand the authentication is done via a 2008 r2 server running Radius from the NPS role. Or, is the authentication/security set on the HP Wireless controller the model is E-MSM720?
I know it's not much info but does anyone know how we block smart-devices, so they're blocked like laptops (not on our domain) from connecting to our domain via wireless.
Thanks
Your NPS is set up yo allow members of Domain Computers OR domain users.
So smart phone with user credentials will be authenticated using Domain Users credentials.
In fact you could also connect a non-domain joined PC using User Credentials aswell - if you set it up properly.
If you remove domain users - then you will not have domain users authenticated, only theire PCs...
I use Aruba Wireless where you can create roles, so a authenticated machine only gives you access to domain controllers to authenticate, and you need both machine authentication AND user authentication to be able to get full access. User AUthentication only only gives you access to guest netowrk. But this is Aruba Specific settings ...
YOu could however move over to EAP-TLS and use certificates, but that might be a bit cumbersome
So smart phone with user credentials will be authenticated using Domain Users credentials.
In fact you could also connect a non-domain joined PC using User Credentials aswell - if you set it up properly.
If you remove domain users - then you will not have domain users authenticated, only theire PCs...
I use Aruba Wireless where you can create roles, so a authenticated machine only gives you access to domain controllers to authenticate, and you need both machine authentication AND user authentication to be able to get full access. User AUthentication only only gives you access to guest netowrk. But this is Aruba Specific settings ...
YOu could however move over to EAP-TLS and use certificates, but that might be a bit cumbersome
Non domain windows laptops won't be able to without the right cert. if I'm right, try an osx laptop and it should connect.
based on what you write, you use PEAP-MsChap authentication (no certs, only username and password) - so non-domains PCs would connect set up manually and correctly --- and - as aarontomosky says; an OSx would connexct automatically :-) ----
EAP-TLS is what you need
EAP-TLS is what you need
jakob_di is on the money!
ASKER
Thanks for replies guys and you're right we could connect a laptop with some tweaking.
I tried changing to Domain computers only (removing Domain users) and this stopped all access. i had to add back the 2 initial groups.
Whats' the easiest way to restrict this to Domain PCs only. I did think what i tried would work.
Cheers
I tried changing to Domain computers only (removing Domain users) and this stopped all access. i had to add back the 2 initial groups.
Whats' the easiest way to restrict this to Domain PCs only. I did think what i tried would work.
Cheers
if you change to domain computers, but client PCs are setup to use User Authentication - then this would fail. You need to create a wireless profile on Windows PC that matches the policy; i.e - using machine authentication.
The next best thing would be certificates - but then you need a working PKI-infrastructure and enroll certificates to ALL devices needing access
The next best thing would be certificates - but then you need a working PKI-infrastructure and enroll certificates to ALL devices needing access
ASKER
Thanks Jakob, that makes sense.
Can you humour me pse.
On a Win7 PC I've had a look at the Wireless profile on the laptop and on the "Connection" tab it has
Name: banana
SSID: banana
Network Type Access Point
Network Availability All users
and "Connect automatically when this network is in range" is ticked.
When i go to the "Security" tab and select "Advanced Settings" under "specify authentication mode" the option "User or Computer Authentication" is selected.
Surely when i set Radius so that in “Windows Groups” for Network Policies the only entry was “Domain Computers”, this should have worked?? It didn’t, we couldn’t connect.
Also when do I use “Machine Groups” vs “Windows Groups” ??
Cheers for your assistance, appreciate it.
Can you humour me pse.
On a Win7 PC I've had a look at the Wireless profile on the laptop and on the "Connection" tab it has
Name: banana
SSID: banana
Network Type Access Point
Network Availability All users
and "Connect automatically when this network is in range" is ticked.
When i go to the "Security" tab and select "Advanced Settings" under "specify authentication mode" the option "User or Computer Authentication" is selected.
Surely when i set Radius so that in “Windows Groups” for Network Policies the only entry was “Domain Computers”, this should have worked?? It didn’t, we couldn’t connect.
Also when do I use “Machine Groups” vs “Windows Groups” ??
Cheers for your assistance, appreciate it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any ideas?