How do you distinguish between a company owned device and a personal device?

  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hi, we are looking to do machine authentication to achieve the following we want to distingush between a company owned device and a personal device. I know there is MDM. But what we want to do is on company owned devices install our certs and authenitcate on that basis.
Photo of vinay

vinay

  • 3 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Vinay,

You may use client classification policy feature.

Eastman
(Edited)
Photo of vinay

vinay

  • 3 Posts
  • 0 Reply Likes
we are new using the Aerohive products. How do i get to this feature, is it part of client manager ?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
What you are describing is the essential of BYOD, still one of the hottest topics :-)

There are many threads about this here, just search for it a bit more. However, here is a bit of a summary.

What you want to achieve:

-          1 SSID with 802.1x authentication
-          When using their company computer (Windows, connected to domain), they shall have full corporate access
-          When using any other device, like their personal iPhone, they shall either be denied or put into the Guest VLAN
 
There are many ways to implement this, all with their pros and cons. Most solutions heavily depend on which kind of devices you use as CID (Company issued device) and the level of control you want to have over them – especially when we are talking about mobile devices. This is where the MDM systems (Mobile device management) as MobileIron, JAMF Casper Suite or Airwave come in. Most of them support mainly MacOS and iOS devices, Android and ChromeBook are often supported as well, but to my knowledge only Airwave supports Windows as well.
 
Aerohive recently came out with their own MDM, called Client Management. It is not as feature rich as the dedicated systems, but has some nice features. It hooks into the Apple Notification Services and therefore supports everything that comes with that (localization, application use policies, etc). But: It does not support Windows.
 
However, when we are talking about 802.1x plus MDM, we have a 2-level authentication and authorization process:
1.       802.1x authentication via Radius server: determine if a user/device is authorized to connect to the network at all, and identify the user/device
2.       Check the device with the MDM system for classification and apply policies
 
In this case you could always have USER authentication in step 1 and then a device recognition and classification in step 2. To my knowledge, if you want to do this with Windows machines, you’d need Airwave.
 
Another way – and this is what you probably want to do – is to authenticate domain computers as COMPUTERS (not users!) and every other device with the user’s AD account:
-          1 SSID with 802.1x authentication
-          Force Windows domain computers to authenticate as computer, not user
-          Configure the Radius server with AD-Group-to-attribute mapping, for example:
o   If the authenticated user/computer is inside AD-Group “Company Computer”, use the user-profile with attribute number 10, which maps to VLAN 15
o   If the authenticated user/computer is inside AD-Group “Company Corporate”, use the user-profile with attribute number 11, which maps to VLAN 20
o   If the authenticated user/computer is simply authenticated, use the user-profile with attribute number 12, which maps to VLAN 30
 
NOTE: Be aware that with this method, for corporate network access, you always identify the COMPUTER, not the user! So any user with an account to that machine could log in and use your corporate network (local accounts...). If that is acceptable (and you enforce computer admin rights via GPOs), go for it. However, keep in mind that all statistics will show the computer name, not the user.
 
Obviously the trick is the AD-Group to attribute mapping. I have done this with an Aerohive AP configured as Radius server, and it’s quite easy. See the advanced training slides from your course, it’s all in there.
 
If you use a 3rd party Radius server, it depends on the server itself. I don’t know for Freeradius, but it definitely works with Windows NPS, see also this thread:
https://community.aerohive.com/aerohive/topics/restrict_non_domain_devices_byod_from_authenticating_...
What you then need to do is to pass a Radius attribute from the Radius server to the AP with information, that can then be mapped to the user profile (by its attribute number). The native attribute used by Aerohive is Tunnel-Pvt-Group-Id, and you should pass the following 3:
 
Tunnel-Type = GRE (10)
Tunnel-Medium-Type = IPv4 (1)
Tunnel-Pvt-Group-Id = ATTRIBUTE-ID
 
Alternatively, and more standard-conform, is to use the attribute filter-id, which should include a name such as “corporate”. You then use the user-profile attribute mapping with Aerohive to map that name back to an attribute number, which then matches to the desired user profile.
 
See this thread for a discussion on this issue (attributes to use for mapping):
https://community.aerohive.com/aerohive/topics/dynamic_user_profile_assignment_via_captive_web_porta...
 
Another good thread on the same topic:
https://community.aerohive.com/aerohive/topics/how_to_keep_users_byod_devices_off_of_the_radius_ssid...
Photo of vinay

vinay

  • 3 Posts
  • 0 Reply Likes
Thanks for the very detailed response. 
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Sorry to "steal" the post of Carsten : I have 802.1x with NPS radius and 

Tunnel-Type = GRE (10) 
Tunnel-Medium-Type = IPv4 (1) 
Tunnel-Pvt-Group-Id = ATTRIBUTE-ID

I am stocked with step 2 : the device with the JAMF MDM system for classification and apply policies. So if the non school device is attached I have enrollment web site pops up. Ideally, would be to have non schooled device (non enrolled with JAMF) to be redirected to another vlan without seeing the enrollment page. I have found:

https://www.aerohive.com/pdfs/Aerohive-Solution_Brief-Jamf.pdf
- "Network-Based Mobile Device Management – If the connected devices are not corporate or
school-issued or if they are not Apple devices, an administrator still has the ability to implement
network access controls based on identity, device type, connecting location, application, and
time of day. These controls are independent of the MDM profile and require no acceptance or installation of any software on the end-user device, but rather rely on the intelligence of the infrastructure to enforce permissions to network resources. 

I am new to aerohive and this is the only step I was not able to configure.