Control mobile device on 802.1X with NPS ???

  • 2
  • Question
  • Updated 4 years ago
  • Answered
Hi, I configured my Aerohive AP's with 802.1X with NPS 2008. I configured my nps to authenticate my users from AD..and assign dynamic vlan from users groups..All works great but...I want to control the mobile devide of our school and block all others mobile devide to access to our school vlan. I know that windows PC must have the NPS certificate installed to connect wifi, but apple device get automaticly the certificate when trying to connect. How can I block the certificate to be sent to the mobile device ? or how can I permit only our ipad to use the wifi and block other apple device ? I created another SSID for the public (splash page)...I want to use the school's ipad on the first SSID with NPS and all others IPAD or mobile device should connect only to public SSID....thanks !
Photo of Patrick Bouchard

Patrick Bouchard

  • 5 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You have a choice of either user or machine authentication (but not both at the same time). You can make the user or machine a member of groups against which you can check for membership to match a Network Policy or not. You can, of course, have multiple Network Policies with different settings.

I think you are getting confused about the certificate that the NPS server uses, it is entirely up to the client if it chooses to validate the server certificate or not. Make sure your clients only ever have the public key of it or its root,
Photo of Patrick Bouchard

Patrick Bouchard

  • 5 Posts
  • 0 Reply Likes
I tested machine authentication to permit only pc's who's are in the domain....but our IPAD are not in the domain like other public Ipad..how can I do machine authentication when all ipad are not in the domain ?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Create user accounts for the iPads and either issue a certificate for those accounts (PEAP with TLS) or use the user name and password (PEAP with MS-CHAP-v2). Configure via the Apple Configurator and a MobileConfig.
Photo of Patrick Bouchard

Patrick Bouchard

  • 5 Posts
  • 0 Reply Likes
we presently use username and password from AD to connect Ipad in our school. but when we use this login and password...Any user can bring in the school his own device and connect it using the same login username and password..
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You need to ensure that you make the user a member of an appropriate group and check for membership in the network policy that grants access. Other users that are not a member will then be denied access or placed in a different VLAN by matching a different Network Policy.
Photo of Patrick Bouchard

Patrick Bouchard

  • 5 Posts
  • 0 Reply Likes
this part of authentiction works great...I have already groups in my AD, members are assigned to these groups and NPS do the job with Aerohive AP, all my member are connected to the good vlan by the groups in the AD...my question is : how can I identify an Ipad that is to us and a Ipad that a student bring in the school...thanks !
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have just told you how! :P

You use a special user account you create to perform authentication that is a member of a group you create. You check for membership of this group before you grant access based on a match to a particular Network Policy. That ensures only your iPads can connect or are placed in to a particular VLAN.

If a user tries to authenticate with their own credentials to a privately owned device, they will not be a member of this group and will not get access to the network or will be matched by a different Network Policy and will be placed in a different VLAN.
Photo of Patrick Bouchard

Patrick Bouchard

  • 5 Posts
  • 0 Reply Likes
Excuse me Nick..if I don't understand all what you said...but which type of users can I create in AD that this user will permit only my ipad to connect to the Wifi...When I connect pc to the AD, I know this computer name. But the IPADs are not in the domain...if I create a username/password in the domain for the School's Ipad. when the students will use this password, the same student will be able to bring their own IPAD and connect using the same username/password...Can I create a user from the Mac adress of our IPAD ??? thanks again and excuse me again for don't understand yet !!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Just a normal user same as any other with a password you specify. Then make this user a member of a group you create and remove membership from all other groups.

You check for membership of this group in a Network Policy.

You can keep the credentials private (for all practical purposes) by embedding them in to a MobileConfig that you alone create/have and install on the iPad. The students are never privy to what the password for the account is.

You should not need to use anything related to a MAC address for what you want to achieve.
Photo of ITNoobBuster

ITNoobBuster

  • 1 Post
  • 0 Reply Likes
May I suggest that you configure your DHCP scopes to only allow devices in the allow list to prevent unauthorized access by devices not belonging to the school being assigned a DHCP address? Although this is not configured directly through NPS you can utilize your DHCP scope to allow only certain devices via device MAC addresses..... Don't forget to activate DHCP name protection!
(Edited)