How do I restrict wifi access to CID devices ONLY?

  • 1
  • Question
  • Updated 3 years ago
Hi,

I want to restrict wifi access to company issued devices and am looking for the best way to do that. All the CID devices will be Windows devices. All users who log into the SSID will be in a specified subnet range within a specified VLAN. There are IP Firewall Policies in place that state that if the source IP address is in that specified subnet then allow them access to internal resources and the internet. 

There are Client Classification Policies that state that any device that is NOT a Windows device will have access completely blocked because the IP firewall Policy attached to it has everything set to "Deny" and the User Profile tied to this Client Classification and IP firewall is associated with a non-existent VLAN.

The Client Classification Policy works great! Things such as iPads, iPhones. Android devices, etc are completely blocked from accessing anything, including the internet, whereas Windows devices are free to communicate with internal resources and browse the internet. The only thing I don't like is that prohibited devices such as iPads will sometimes receive an IP address through DHCP, but are still having their access blocked. But that is another issue...

So with that said, ANY Windows device can log into the SSID provided that they have credentials that are authenticated to the RADIUS server. We don't want just any Windows device to login, we just want our CID devices to be able to login. The easy solution would be MAC filtering where we would create filters with the MAC addresses of our CID devices and set the filter to "Permit". The issue with that is MAC filtering isn't secure and someone could sniff the packets and spoof a MAC address.

Does AeroHive provide an alternative that would allow us to restrict wifi access to CID devices ONLY and DOES NOT use MAC filtering?
Photo of Rick

Rick

  • 11 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Rick,

This is best solved by using machine/computer authentication via EAP-PEAP with an inner-EAP of EAP-TLS on Windows domain joined machines against a WPA2-Enterprise/802.1X SSID.

That facilities client X.509 certificates being used.

Use client certificate auto-enrolment, configured via Group Policy, to deploy certificates and ensure that the private key for the certificate is marked/set so that it cannot be exported.

You would use the Certificate Services Role in Windows Server to achieve all this.
(If you are setting this up from scratch, choose SHA-256 not SHA-1 as the hash algorithm. You would also want to use 2048-bit RSA.)

There's documentation on the Web on how to configure all this. Google is your friend! :)

If you want further protection for the private key, ensure your users do not log on with elevated privileges - that they're not Administrators etc.

If you even want further protection, use full disk encryption via something like BitLocker.

This does mean that users won't log on to the wireless network with their own credentials, but that shouldn't be too much of an issue as they will additionally log on to the machine.

Regards,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I should add:

At the RADIUS server, you'll know what the device is and, more importantly therefore, its membership of other security groups. You can make access control decisions based on this...

To allow on to the network or not, if so, in to what VLAN should the client go and with what firewall rules (ACLs) applied via the User Profile.
(Edited)
Photo of Rick

Rick

  • 11 Posts
  • 0 Reply Likes
Thanks! I'll look into it further.
Photo of Richard Pilcher

Richard Pilcher

  • 2 Posts
  • 0 Reply Likes
Nick,

Can this work using the RADIUS server on the AP, or does the AD RADIUS server need to be used in order for there to be sufficient information about the users group memberships to make a User Profile decision to drop them on a valid VLAN or a null VLAN?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes, you can achieve this using the built-in RADIUS server:
Photo of Rob Pritchard

Rob Pritchard

  • 86 Posts
  • 8 Reply Likes
Just going off of our current setup (school district), we use RADIUS authentication and our group policy allows authentication for our Windows domain devices as well as staff being able to authenticate with their username and password, but we don't allow students to authenticate with their username and passwords.  Our group policy initially didn't block student authentication and one of our high schools ran out of DHCP addresses, so we stopped that so they couldn't use their own devices to get on our network.  Students have to use a district provided device.  I would think you could do the same thing where you don't allow any user authentication - it would have to be authentication based upon the device name.  As long as the device is in Active Directory, then it can authenticate.  I'm not an expert, as we have server administrators who handle that end of it, I just administer the wireless side but that's my understanding of how it works.  We don't do anything on the Aerohive side to block student user accounts from authenticating - group policy does it.
Photo of Richard Pilcher

Richard Pilcher

  • 2 Posts
  • 0 Reply Likes
I would love to know what attribute you use in Group Policy to control that.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Remember that when the subsequent user authentication takes place, there is no cryptographic binding, or indeed any bind, to the previous machine authentication.
Photo of Rob Pritchard

Rob Pritchard

  • 86 Posts
  • 8 Reply Likes
This is why I'm not a server guy. :-)  It's our RADIUS server that is not allowing students on our network to authenticate with their user accounts, not group policy.  Not sure how they have it configured to block the student accounts, but that's what I was told by one of our server engineers.
Photo of Rick

Rick

  • 11 Posts
  • 0 Reply Likes
Thanks!