802.1x authenticating iPADS but rejecting iPhones.

  • 1
  • Question
  • Updated 3 years ago

We currently have a 802.1x environment set up with a 2008 r2 NPS server authenticating users. The school deployed 2000 iPads to the student body and authentication via NPS is working as expected. Hear lies the issue. After the deployment the powers that be decided that the student body should not have the right to log in to the environment with their user credentials on personal devices (BYOD). In the current deployment they can. The fix that I was hopping would work would be implementing “OS Classification”. Unfortunately it partially works; I can filter out windows, android, and apple mac books, but I can’t differentiate iPhones from IPads. I need a solution that will do the following: allow ipads through but deny all other devices and/or limit the logged on user to one authenticated device.

Photo of oren

oren

  • 3 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Firstly, have you instead considered using device certificates on the iPads, made available via a Mobile Config that you install? This won't be able to be extracted by enterprising students.

----

Secondly, I think that, abstractly, it is only possible to sensibly differentiate between iOS devices by snooping the HTTP user agent in Web traffic.

How is your OS detection configured under Management Options?



(Note: Not owning an iPad, I have not verified what the behaviour is here in HiveOS.
It may be that this makes no difference despite the HTTP user agent giving more specific information than DHCP option 55 yields. It does say in that screenshot that DHCP is the primary means. There is also the option to use HTTP alone which you could try.)
(Edited)
Photo of oren

oren

  • 3 Posts
  • 0 Reply Likes
in the current config it cant distinguish between ipads and iphones because DHCP option 55 is the same on both devices (1,3,6,15,119,252). it seems that the end point device has to hit a HTTP page to get classified, prior to doing so the end point can use any app on the device without being categorized (The client doesn't want to use a CWP for student device login).
 


can you please elaborate on your first suggestion;
"Firstly, have you instead considered using device certificates on the iPads, made available via a Mobile Config that you install? This won't be able to be extracted by enterprising students."

i need a solution that requires as little administration as possible.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You issue an individual client digital certificate for each of the iPads that derive from an internal CA and install this to the iPads via a MobileConfig so that they use this to authenticate. The method of authentication with this is EAP-TLS.

On-boarding tools exist to help with this.

Aerohive offer http://www.aerohive.com/products/cloud-services-platform/client-management
CloudPath offer a great alternative.
Photo of oren

oren

  • 3 Posts
  • 0 Reply Likes
Is there a way to block to user to only one authenticated device at a time?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Why would you want to do that? It would not achieve your stated goal of disallowing BYOD.

That said, the building blocks have gone in to to allow concurrent sessions to be limited with future HiveOS releases with RADIUS. This is not reliably possible today but that should change in the not too distant future.

I don't recommend trying to limit based on the client's MAC address, it is not scalable.

The discriminator that you should be using is the credential presented. You ensure that credentials are only on the devices that you expect.

The gold standard solution is to do this with client certificates that cannot reasonably be extracted, on an iPad via a MobileConfig.

Nick
(Edited)
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Agreed that snooping can't differentiate between ipads & iphones - have sniffed and see the same dhcp options & web browser.  While I've gotten eap-tls (per-user certs) to work with ipads, it was ugly.  You could do something like re-use the same profile on every ipad and hope it wouldn't get compromised/stolen - you'd set NPS for eap-tls only.

Other options would include Ciscosecure ACS which can integrate with Microsoft AD and can do 'max sessions'.  Max sessions depends on accounting records - if the AP sends a start record and no stop record is seen, ACS assumes the device is logged in and rejects the second attempt.  Of course if the iphone jumps on before the ipad, the teachers could spend time sorting this out.

You could do mac authentication with a bulk import of ipad MACs - if you're using Apple DEP or MDM, the MACs can probably be obtained pretty easily and a bulk import done into AD using Powershell or VBS.  AFAIK, mac-spoofing isn't possible with iphones unless they're rooted.  Freeradius also works fine for mac authentication.

You can even do wild-card filtering based on calling-station-id:
https://docs.google.com/document/d/1xzJhWafRZWWqzIaTGaF3xt5a7ECGzGsrdpRzRGSTm_8/edit?usp=sharing
But there might be so many OUIs and so little pattern that the list could be extensive.

You might also set aside a BYOD ssid and shuffle the iphones off to it so you could at least do bandwidth controls there.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Nit picking a bit on the max sessions front...

I'm curious, does ACS support doing this properly, tracking sessions using the Acct-Multi-Session-Id where the attribute is present? With HiveOS, the Acct-Session-Id will change when a roam occurs etc for the same 'connection' where the same User-Name is identical so incomplete implementations will quickly get tripped up if they don't stick to the spec.

If packet loss and retries do occur resulting in out of order receipt, does this work properly? I'm suspicious! :P

Additionally, there are incidentally behaviours in HiveOS prior to 6.6r1 that trip up session tracking from being able to take place properly in a state machine that handles RADIUS accounting information when packet loss, retries or failover occur.

Does ACS also handle binding auth to accounting based on the Class attribute so that anonymous outer identities are handled correctly?
(Edited)
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
With the original ACS software, it looked at the username field.  Agreed if sending of accounting records is unpredictable, max-sessions would not work well.  The newer software, Identity Services Engine, may use different accounting attribues - not sure.