Wireless enterprise auth, keeping devices off without MAC Auth

[bigstusexy]

Thought I'd ask you guys while I'm thinking.

We use NPS at work to do authentication for wireless and I'm about to redo the entire network so I decided to change lots of things. Right now we authenticate the device or the user ID, once someone logs in the user ID takes over, this is great as it provides a way of SSO with our web filter. The problem is that we have only one network and Students have figured out how to get their devices on the network. I want to block them but I don't want to go to MAC authentication.

I'm going to have several SSIDs in the new layout but the one where students will be allowed will need to only allow them on domain devices, all the other ones I can simply deny their account access. Any Ideas? The Access points are going to be Aruba IAPs in the 300 series I believe. I think we're supposed to get a controller too but I don't have that info (I laugh as I'm doing the logical work now and I'm physically starting on this in a week or two)

 

[Cmustang87]

I would recommend using EAP-TLS authentication for the wireless network. This will require some PKI work, but I feel it's the best way to handle this use-case. Users will authenticate to the network using a certificate - you can either do a computer or a user certificate, generally people use a user cert. This way on the Student Domain Wireless, they will need a certificate provided by Group Policy in order to authenticate to the network.

I found the following information, but it's about 3 years old. I would recommend reaching out to your Aruba people to find out if they have a more up-to-date setup guide.

http://community.arubanetworks.com/...1x-Authentication-and-integration/ta-p/204437

 

[bigstusexy]

Thanks, I was looking for this but my searches were all turning up the way we do it with only server side certs. Either that or everything started with "on your controller" and all we had were the instant controller.

 

[Cmustang87]

Additionally, with AAA in place, your web filter should integrate with your current AAA server and still get a seamless browsing experience. I have about 3 years of web filter expertise specifically around education... If you don't mind me asking, what product are you using? Public, private, or higher education?

 

[bigstusexy]

Public and we are currently Bloxx, don't bother they are terrible. They use to be good but then they were bought out by Akamai and it's not going smoothly.
The good thing is that I had outlined a procedure and they were already working on it. They have two tools, an NPS log reader and a DHCP log reader, they combine the info and send it off to build a table of who is on what device. Before we were sending accounting information to the device which was working around 80%

We're looking into other options and ending our time with them early, not that we've heard about a new product line and they've discontinued the current one. I think we might go with Securely.

 

[Cmustang87]

Public and we are currently Bloxx, don't bother they are terrible. They use to be good but then they were bought out by Akamai and it's not going smoothly.
The good thing is that I had outlined a procedure and they were already working on it. They have two tools, an NPS log reader and a DHCP log reader, they combine the info and send it off to build a table of who is on what device. Before we were sending accounting information to the device which was working around 80%

I'm familiar with Bloxx. I'm willing to bet they have you configure it as RADIUS accounting and require you to send Framed-IP from the AAA server.

We're looking into other options and ending our time with them early, not that we've heard about a new product line and they've discontinued the current one. I think we might go with Securely.

Send me a PM...

 

[Raekwon]

We were going to go with client certificates to ensure only certain hardware could get on the wifi, however we didn't want to mess with the PKI hassles. We choose instead to allow machine or machines/users on the network. This works well in our environment where it's all windows devices. Actually there are a lot of iPads that I'd like to bring into the fold but we are only authenticating again AD now. I'm fairly familiar with Clearpass and manage a few thousand Aruba APs and several dozen wireless controllers. I'm not an expert by any means, but I may be able to answer some questions.

 

[bigstusexy]

If I have some I'll ask. Yeah I'd like to have client certs, if they could just be a token to check that would be great but I'm only starting to look into it. I'm really glad my project got pushed back.

 

[Cmustang87]

We were going to go with client certificates to ensure only certain hardware could get on the wifi, however we didn't want to mess with the PKI hassles. We choose instead to allow machine or machines/users on the network.

Are you doing this by using MAC addresses, or are you using 802.1X/RADIUS auth for AAA? NPS?

 

[bigstusexy]

I think I got an even more simple solution while using NPS to do it all.
I didn't set this up, I'm still learning NPS and so on.

The way the conditions on the network policy for the connection were set was:
NAS Port Type Wireless - other or Wireless IEEE 802.11
*Windows Groups domain computers OR Domain users

That last one is important because all the conditions are OR conditions this allows machines themselves OR users to authenticate to this one policy and it be true.
So I added Machine Groups Domain Computers (the computers have always used certificates to identify themselves) I had to reboot all my current I-APs but then I could no longer authenticate via my phone but my laptop came back fine. I'll test the chromebooks soon too but I expect them not to work.

This is fine as I can set multiple policies with order of evaluation and target specific groups that can authenticate with no machine restriction, ex admin, teachers, other employees. That will exclude students so that profile will fail, this profile will require them to be on district machines. Items like chromebooks will probably still use a generic login and have it's own network thus it go without machine restrictions.

I'm still looking at certification use and so on. If anyone sees any issues or has any thoughts, lets share!

 

[Cmustang87]

Your Chromebooks will definitely fail because they can't be joined to the domain - but you're already expecting that.

For certificates, which are relevant to NPS, here are some great KBs to read through from Microsoft:

https://docs.microsoft.com/en-us/wi...technologies/nps/nps-manage-cert-requirements
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates
https://docs.microsoft.com/en-us/wi...tes-for-802.1x-wired-and-wireless-deployments

 

[bman212121]

As a side note, you should only need 1 SSID. With Aruba APs you can easily trunk vlans, and when you authenticate the user, that will determine what vlan the user gets put on. What you'd want to do is set it up so that if you meet specific criteria, you put them on a more privileged vlan. Those chromebooks aren't likely to be using an internal resources, so after you authenticate the user you just drop them into catch all group which only has internet access.

 

[Cmustang87]

As a side note, you should only need 1 SSID. With Aruba APs you can easily trunk vlans, and when you authenticate the user, that will determine what vlan the user gets put on. What you'd want to do is set it up so that if you meet specific criteria, you put them on a more privileged vlan. Those chromebooks aren't likely to be using an internal resources, so after you authenticate the user you just drop them into catch all group which only has internet access.

This is correct - use AAA to determine which network people belong to. Broadcasting multiple SSIDs only hurt your wireless coverage.

 

[Raekwon]

Are you doing this by using MAC addresses, or are you using 802.1X/RADIUS auth for AAA? NPS?

802.1X. The Clearpass service is setup to allow access if machine authenticated or machine AND user authenticated. We pushed a wirlss profile out via GPO that enables machines to connect automatically, so they connect before logon and machine authenticate.

 

[bigstusexy]

How would I authenticate the user via chromebooks? Currently they are set by a policy to use an account and I'm not sure I could even do that for the younger kids as we have to set them for kiosk. How do Multiple SSIDs hurt coverage?

 

[Cmustang87]

How would I authenticate the user via chromebooks? Currently they are set by a policy to use an account and I'm not sure I could even do that for the younger kids as we have to set them for kiosk. How do Multiple SSIDs hurt coverage?

Breaking these questions down below for visibility
==========================================

How would I authenticate the user via chromebooks?

You would use 802.1x and client-based certificates. This would allow users to log into the wireless network with their domain credentials. You are going to want to reach out to your Google Apps support team for help with 802.1x and Kiosk - this can be tricky because I believe Chromebooks require password protected access for EAP-TLS.

Currently they are set by a policy to use an account and I'm not sure I could even do that for the younger kids as we have to set them for kiosk.

As you know, Kiosk mode doesn't use a Chromebook login. However, it will still require authentication to the wireless network with an 802.1x implementation. Young kids are always tricky because you have to account for the least common denominator not being able to use an account/password auth mechanism... but, if you are required to do something about this, then you have to deal with it and address it with your IT Dir/CTO/Superintendent <- this part sucks.

How do Multiple SSIDs hurt coverage?

Meraki has a pretty good introductory explanation on this - https://documentation.meraki.com/MR...Considerations#Consequences_of_Multiple_SSIDs

More information here:

http://community.arubanetworks.com/...ultiple-SSIDs-on-Wi-Fi-Performance/ta-p/25374

A single access point is essentially an Ethernet bridge. It is a single collision domain.

The big concern is on the 2.4Ghz band - there are only three channels within the 2.4Ghz band that don't overlap - 1, 6, and 11

Multiple SSIDs act as if they are another separate AP. Additionally, multiple SSIDs causes all of the overhead necessary to maintain a single SSID, but from within the same AP. The more management overhead you have on an AP, the less efficient your RF is.

You can also read about BSSID - https://arubanetworkskb.secure.forc...ed-from-the-Access-Point-ethernet-MAC-address

Since you have NPS acting as your AAA server, you can use dynamic VLAN assignments, but only need to broadcast a single SSID for internal traffic, and possibly a second SSID for guest traffic. AAA will allow students to be placed in a specific VLAN when they auth, and faculty in another.

 

[necrophobic]

You can also bind policies in NPS to SSIDs.......

 

[Cmustang87]

Yes, but why would you want to broadcast more SSIDs than necessary?

 

[Eickst]

Clearpass can do different authentication methods in the same SSID. If they authenticate via EAP-TLS they can be given the role of whatever your domain PC role is, authenticated or 'work-pc' or whatever, and if the wireless client authenticates using PEAP (username and password) they can be given a student device role. VLANs can be assigned by role as well.