We currently have a 802.1x environment set up with a 2008 r2 NPS server authenticating users. The school deployed 2000 iPads to the student body and authentication via NPS is working as expected. Hear lies the issue. After the deployment the powers that be decided that the student body should not have the right to log in to the environment with their user credentials on personal devices (BYOD). In the current deployment they can. The fix that I was hopping would work would be implementing “OS Classification”. Unfortunately it partially works; I can filter out windows, android, and apple mac books, but I can’t differentiate iPhones from IPads. I need a solution that will do the following: allow ipads through but deny all other devices and/or limit the logged on user to one authenticated device.
Secondly, I think that, abstractly, it is only possible to sensibly differentiate between iOS devices by snooping the HTTP user agent in Web traffic.
How is your OS detection configured under Management Options?
(Note: Not owning an iPad, I have not verified what the behaviour is here in HiveOS.
It may be that this makes no difference despite the HTTP user agent giving more specific information than DHCP option 55 yields. It does say in that screenshot that DHCP is the primary means. There is also the option to use HTTP alone which you could try.)
can you please elaborate on your first suggestion;
"Firstly, have you instead considered using device certificates on the iPads, made available via a Mobile Config that you install? This won't be able to be extracted by enterprising students."
i need a solution that requires as little administration as possible.
On-boarding tools exist to help with this.
Aerohive offer http://www.aerohive.com/products/cloud-services-platform/client-management
CloudPath offer a great alternative.
Other options would include Ciscosecure ACS which can integrate with Microsoft AD and can do 'max sessions'. Max sessions depends on accounting records - if the AP sends a start record and no stop record is seen, ACS assumes the device is logged in and rejects the second attempt. Of course if the iphone jumps on before the ipad, the teachers could spend time sorting this out.
You could do mac authentication with a bulk import of ipad MACs - if you're using Apple DEP or MDM, the MACs can probably be obtained pretty easily and a bulk import done into AD using Powershell or VBS. AFAIK, mac-spoofing isn't possible with iphones unless they're rooted. Freeradius also works fine for mac authentication.
You can even do wild-card filtering based on calling-station-id:
But there might be so many OUIs and so little pattern that the list could be extensive.
You might also set aside a BYOD ssid and shuffle the iphones off to it so you could at least do bandwidth controls there.