Solved

Wireless 802.1x Restrict Access

Posted on 2014-02-14
16
830 Views
Last Modified: 2014-02-15
I have a domain network using Windows 2012 R2 as the domain controller. It has NPS setup and I have 801.1x polices configured. I have a WAP that has multiple SSID and security profiles available. Currently I have, working, PSK and a RADIUS SSID's

I have devices that can use RADIUS authentication (laptops and smartphones) and devices that are limited to PSK.

I would like the devices that are capable of using RADIUS authentication to use it and not be able to connect to the PSK. I wish I could rely on the security of not sharing the PSK but it's not a perfect world and I need some additional measures.
0
Comment
Question by:mike1142
16 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39860940
Unfortunately there is no standardized way for a server OS to query a connecting client on whether it supports WPA-enterprise. That is what would be required to only allow WPA-PSK on a conditional basis. I don't think you can accomplish what you are trying to do.
0
 
LVL 3

Expert Comment

by:ola_erik
ID: 39861498
There is always the convenience of using MAC filtering.

There is no ..."anti-hacking" security in that, if you are more concerned about user behaviour, eg sharing passwords it could be worth looking in to.

If you have a limited number of devices and don't have a fluid device-user situation, I'd consider it.
0
 

Author Comment

by:mike1142
ID: 39861529
I have the option, on this AP, to using an ACL on any security profile which is essentially MAC filtering. The MAC list can be kept on the device itself or it can connect to a database server and store and query the list but I think your alluding to problem of MAC spoofing. I would rather have something a little more bullet proof but I think this might be the right direction. I am asking for the moon and stars but let's go there and decide what is realistic.

I am also reading about device authentication AND user authentication meaning that both conditions must be satisfied to connect to the AP "secure" wireless. I am having troubling grasping how to do this on the smarter devices. MDM is an option put its pricey.

So the PSK only devices. I could segregate them on a VLAN I guess and if the PSK is compromised access to the secure VLAN is not possible (I assume). Now the PSK devices cannot communicate with the secure network correct? Which could be an issue.
0
 

Author Comment

by:mike1142
ID: 39861551
Sorry, I spoke too soon the ACL list can be stored locally or on the RADIUS server but only for each radio, it has an A and a B/G radio.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39861565
With Windows machines you can lock down access via Group Policy as long as they're on a domain.  With smartphones you can't really govern this unless you use device onboarding or an MDM solution.

The MAC authentication approach is something which should be investigated though.  It is still used as a means of authenticating devices on a wired network and people often still use it as an additional measure in Wireless to help fend off the general speculative users who are just trying to connect their device (not serious hacking attempts).

A PSK has no real place in the corporate environment in my opinion and it should not be used to allow access to corporate resources.  Therefore I would agree that segmenting all PSK users would be a good design approach and it is not going to cause any issues from a technical point of view, but it might in the minds of the users.  What you need to do here is create a security policy which outlines the fact that if you want to access corporate resources you must connect to the corporate SSID using corporate credentials and/or corporate-approved devices.
0
 

Author Comment

by:mike1142
ID: 39861593
I think we are getting closer. Please realize to configure the NPS and NAP for the server I followed the MS guide for dummies.

Having said that I am reading that you can configure an additional NAP to authenticate a device based on its MAC and somehow you setup a domain account with the MAC as the user id.

Any experience with this? I think this would negate the need for a PSK all together AND I have no worries about rotating passwords on the non authenticating devices which would further make installation of a new device as easy as selecting the SSID and noting the MAC address. This could also be used for wired devices that are non-authenticating as well I just realized. Nothing gets on the network that isn't already known, device person or both.
Any ideas on this approach?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39861606
Yep Windows-Based MAC authentication is easy.  This link will show you how to do it...

http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx

That should allow the MAC address of a device to be used to do the MAC-authentication part but still allow the user to provide credentials in order for the 802.1X part to function and secure the wireless link.
0
 

Author Comment

by:mike1142
ID: 39861655
OK well now I have a bunch more questions. With ACL turned on devices that can authenticate, cannot connect because the AP says your the device is not in the list. I wanted these devices to be allowed but devices that cannot authenticated to present a valid MAC address.

Questions
1. What policy is allowing unauthenticated wired devices access to the network?
2. How do I configure a policy to not allow this?
3. What policy is allowing domain joined and users authenticated to use network (just curious on this one)
4. How is the policy configured to add the MAC accounts, the article is vague on passwords.

Sorry if this is becoming RADIUS 101 but I did not know how complex and useful this would be.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39861733
This is where it gets interesting.

If your APs only support global MAC-filtering and not per-SSID MAC-filtering you'll only be able to do one or the other.  So if it's global you have to do it for everyone or no-one.

What APs do you have?
0
 

Author Comment

by:mike1142
ID: 39861742
I have a Netgear WAG 102. This is for a small office in a highly regulated privacy industry.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39861759
Ok when you say highly regulated privacy industry, do you mean that privacy of data and secure access-control to that data is of utmost importance?
0
 

Author Comment

by:mike1142
ID: 39861773
Exactly. It is the healthcare industry and is highly regulated via HIPPA but also more stringent accreditation authorities,

Its not some much an issue of the privacy, though very important. I need auditable proof of who has access to what. Network access is the weak point.

I hope this doesn't make you bail on me.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39861799
No I won't bail... I work for one of Cisco's biggest partners doing this stuff every day.

If your data requires security which should be HIPPA-compliant you need a clearly-defined security policy.  That gives you control over who does what, and how.  Usually this isn't the case and you end up allowing everyone do what they want because they scream loud enough.

In an ideal world I'd say get rid of NPS and your Netgear APs and stick some proper kit in there - it will make life so much easier.  However I know that it's not always an option.

The good news is that you should be able to do what you need using the kit you have.  The bad news is that I'm not completely convinced that the WAP102 manual is correct/clear.  Basically it says you can do per-SSID security policies.  That's great, but what it doesn't say (in the MAC Filtering section) is that you can enforce this option per-SSID.

So, I would have a look on the APs first to see if you can do per-SSID MAC filtering.  If you can't I won't bother telling you how to get it working, but if it can we're in business :-)
0
 

Author Comment

by:mike1142
ID: 39861826
Sorry, MAC filtering is only per radio the A or the B/G - I am not sure that A is possible on all devices. This brand new Dell I am on does not see the A SSID.

The goal would be to use what I have lock everything down as tight as I can and let them make the exceptions and I will document such. They have the license and the liability (and the lawyers) I don't. I could throw in a bid for a proper setup, I am not sure what that is but a lot has been spent on the current setup which was required by the EMR/PB&R vendor.

I guess I am in the market for a new AP? Do you have recommendations if it is allowed in the rules?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39861915
Ok I'd say forget MAC filtering then.

AP-wise you'd be able to do what you want with a Cisco AP.  Something like the 1600 would be ideal.  This will let you configure per-SSID MAC authentication which can link to RADIUS and can be used in conjunction with 802.1x.
0
 

Author Closing Comment

by:mike1142
ID: 39861936
Thanks for the help I will get back to this when I assess AP options.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now