Solved

Wireless 802.1x Restrict Access

Posted on 2014-02-14
16
898 Views
Last Modified: 2014-02-15
I have a domain network using Windows 2012 R2 as the domain controller. It has NPS setup and I have 801.1x polices configured. I have a WAP that has multiple SSID and security profiles available. Currently I have, working, PSK and a RADIUS SSID's

I have devices that can use RADIUS authentication (laptops and smartphones) and devices that are limited to PSK.

I would like the devices that are capable of using RADIUS authentication to use it and not be able to connect to the PSK. I wish I could rely on the security of not sharing the PSK but it's not a perfect world and I need some additional measures.
0
Comment
Question by:mike1142
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39860940
Unfortunately there is no standardized way for a server OS to query a connecting client on whether it supports WPA-enterprise. That is what would be required to only allow WPA-PSK on a conditional basis. I don't think you can accomplish what you are trying to do.
0
 
LVL 3

Expert Comment

by:ola_erik
ID: 39861498
There is always the convenience of using MAC filtering.

There is no ..."anti-hacking" security in that, if you are more concerned about user behaviour, eg sharing passwords it could be worth looking in to.

If you have a limited number of devices and don't have a fluid device-user situation, I'd consider it.
0
 

Author Comment

by:mike1142
ID: 39861529
I have the option, on this AP, to using an ACL on any security profile which is essentially MAC filtering. The MAC list can be kept on the device itself or it can connect to a database server and store and query the list but I think your alluding to problem of MAC spoofing. I would rather have something a little more bullet proof but I think this might be the right direction. I am asking for the moon and stars but let's go there and decide what is realistic.

I am also reading about device authentication AND user authentication meaning that both conditions must be satisfied to connect to the AP "secure" wireless. I am having troubling grasping how to do this on the smarter devices. MDM is an option put its pricey.

So the PSK only devices. I could segregate them on a VLAN I guess and if the PSK is compromised access to the secure VLAN is not possible (I assume). Now the PSK devices cannot communicate with the secure network correct? Which could be an issue.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:mike1142
ID: 39861551
Sorry, I spoke too soon the ACL list can be stored locally or on the RADIUS server but only for each radio, it has an A and a B/G radio.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39861565
With Windows machines you can lock down access via Group Policy as long as they're on a domain.  With smartphones you can't really govern this unless you use device onboarding or an MDM solution.

The MAC authentication approach is something which should be investigated though.  It is still used as a means of authenticating devices on a wired network and people often still use it as an additional measure in Wireless to help fend off the general speculative users who are just trying to connect their device (not serious hacking attempts).

A PSK has no real place in the corporate environment in my opinion and it should not be used to allow access to corporate resources.  Therefore I would agree that segmenting all PSK users would be a good design approach and it is not going to cause any issues from a technical point of view, but it might in the minds of the users.  What you need to do here is create a security policy which outlines the fact that if you want to access corporate resources you must connect to the corporate SSID using corporate credentials and/or corporate-approved devices.
0
 

Author Comment

by:mike1142
ID: 39861593
I think we are getting closer. Please realize to configure the NPS and NAP for the server I followed the MS guide for dummies.

Having said that I am reading that you can configure an additional NAP to authenticate a device based on its MAC and somehow you setup a domain account with the MAC as the user id.

Any experience with this? I think this would negate the need for a PSK all together AND I have no worries about rotating passwords on the non authenticating devices which would further make installation of a new device as easy as selecting the SSID and noting the MAC address. This could also be used for wired devices that are non-authenticating as well I just realized. Nothing gets on the network that isn't already known, device person or both.
Any ideas on this approach?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39861606
Yep Windows-Based MAC authentication is easy.  This link will show you how to do it...

http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx

That should allow the MAC address of a device to be used to do the MAC-authentication part but still allow the user to provide credentials in order for the 802.1X part to function and secure the wireless link.
0
 

Author Comment

by:mike1142
ID: 39861655
OK well now I have a bunch more questions. With ACL turned on devices that can authenticate, cannot connect because the AP says your the device is not in the list. I wanted these devices to be allowed but devices that cannot authenticated to present a valid MAC address.

Questions
1. What policy is allowing unauthenticated wired devices access to the network?
2. How do I configure a policy to not allow this?
3. What policy is allowing domain joined and users authenticated to use network (just curious on this one)
4. How is the policy configured to add the MAC accounts, the article is vague on passwords.

Sorry if this is becoming RADIUS 101 but I did not know how complex and useful this would be.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39861733
This is where it gets interesting.

If your APs only support global MAC-filtering and not per-SSID MAC-filtering you'll only be able to do one or the other.  So if it's global you have to do it for everyone or no-one.

What APs do you have?
0
 

Author Comment

by:mike1142
ID: 39861742
I have a Netgear WAG 102. This is for a small office in a highly regulated privacy industry.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39861759
Ok when you say highly regulated privacy industry, do you mean that privacy of data and secure access-control to that data is of utmost importance?
0
 

Author Comment

by:mike1142
ID: 39861773
Exactly. It is the healthcare industry and is highly regulated via HIPPA but also more stringent accreditation authorities,

Its not some much an issue of the privacy, though very important. I need auditable proof of who has access to what. Network access is the weak point.

I hope this doesn't make you bail on me.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39861799
No I won't bail... I work for one of Cisco's biggest partners doing this stuff every day.

If your data requires security which should be HIPPA-compliant you need a clearly-defined security policy.  That gives you control over who does what, and how.  Usually this isn't the case and you end up allowing everyone do what they want because they scream loud enough.

In an ideal world I'd say get rid of NPS and your Netgear APs and stick some proper kit in there - it will make life so much easier.  However I know that it's not always an option.

The good news is that you should be able to do what you need using the kit you have.  The bad news is that I'm not completely convinced that the WAP102 manual is correct/clear.  Basically it says you can do per-SSID security policies.  That's great, but what it doesn't say (in the MAC Filtering section) is that you can enforce this option per-SSID.

So, I would have a look on the APs first to see if you can do per-SSID MAC filtering.  If you can't I won't bother telling you how to get it working, but if it can we're in business :-)
0
 

Author Comment

by:mike1142
ID: 39861826
Sorry, MAC filtering is only per radio the A or the B/G - I am not sure that A is possible on all devices. This brand new Dell I am on does not see the A SSID.

The goal would be to use what I have lock everything down as tight as I can and let them make the exceptions and I will document such. They have the license and the liability (and the lawyers) I don't. I could throw in a bid for a proper setup, I am not sure what that is but a lot has been spent on the current setup which was required by the EMR/PB&R vendor.

I guess I am in the market for a new AP? Do you have recommendations if it is allowed in the rules?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39861915
Ok I'd say forget MAC filtering then.

AP-wise you'd be able to do what you want with a Cisco AP.  Something like the 1600 would be ideal.  This will let you configure per-SSID MAC authentication which can link to RADIUS and can be used in conjunction with 802.1x.
0
 

Author Closing Comment

by:mike1142
ID: 39861936
Thanks for the help I will get back to this when I assess AP options.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question