Differentiate between BYOD and corporate devices - looking for some input
Hi I've been thinking about how FreeRADIUS would need to be configured to differentiate between authentication requests from BYOD devices and corporate (typically Windows Domain members) and i.e. put them in different VLANs. I've tried to find things that might be used as differentiators when i.e using PEAP-MSCHAPv2: Windows Domain member using PEAP-MSCHAPv2 send requests differently not having any domain part. Hosts authenticating use host/<hostname>$ formats for their username they send... IMO not really a reliable way to differentiate them in my opinion, an end user device could imitate that as well. The thing I currently see, is Calling-Station-Id being sent to FreeRADIUS where one could detect if a device is corporate-owned and thus i.e. an SQL database could be queried to check if the device figures in the known corporate devices DB. But then again we all know how easily MAC-addresses can be faked. Is there something else I'm likely missing here? Do some of you use different EAP methods like i.e. EAP-TLS for corporate devices while a password-based method is used for personal devices. Ideally if a certificate was given out for each corporate device and user as well as per BYOD device, well then it would be easy to identify things... But that's requiring a whole CA and issuing infrastructure while trying to keep onboarding personal devices as simple as possible for users. I don't have a urgent need for it right now but I have tried to get an idea on that topic yet haven't found a satisfying path (and without working every day with FreeRADIUS that is). Maybe someone is willing to share his or her experiences? -- Mathieu
On Fri, Jul 01, 2016 at 04:46:50PM +0200, Mathieu Simon (Lists) wrote:
Do some of you use different EAP methods like i.e. EAP-TLS for corporate devices while a password-based method is used for personal devices. Ideally if a certificate was given out for each corporate device and user as well as per BYOD device, well then it would be easy to identify things...
Yes.
But that's requiring a whole CA and issuing infrastructure while trying to keep onboarding personal devices as simple as possible for users.
Yes.
I don't have a urgent need for it right now but I have tried to get an idea on that topic yet haven't found a satisfying path (and without working every day with FreeRADIUS that is). Maybe someone is willing to share his or her experiences?
Currently, EAP-TLS for laptops on the managed service, PEAP/TTLS MSCHAP stuff or user devices. They currently connect to different SSIDs, which also helps - but that wouldn't be hard to change. e.g. User-Name matches host/..., do EAP-TLS and make sure we issued the cert. Otherwise, if User-Name matches /@/, treat as user. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matthew Am 01.07.2016 um 16:59 schrieb Matthew Newton:
[...] Ideally if a certificate was given out for each corporate device and user as well as per BYOD device, well then it would be easy to identify things...
Yes. Alas, since properly building a PK infrastructure requires doing lots of things properly from start on SME IT I've met so far try to avoid doing that as much as possible.
But that's requiring a whole CA and issuing infrastructure while trying to keep onboarding personal devices as simple as possible for users.
Yes. For which I haven't yet found the magic bullet. I agree though that at least on the Windows side of clients one could make use of auto-enrollment through GPO and push config profiles through GPO (the later is what I'm doing).
But I have many devices not being used for a couple of months where they couldn't renew if the client cert in timely manner automatically. (And if Windows would even present itself with an expired certificate since it already is quite picky... is another topic.) [...]
Currently, EAP-TLS for laptops on the managed service, PEAP/TTLS MSCHAP stuff or user devices.
Ah, ok so at least I wasn't that far off with my guess. Thanks for sharing this.
They currently connect to different SSIDs, which also helps - but that wouldn't be hard to change. So I guess that on the corporate device SSID you'd only accept EAP-TLS whereas on the other it's only PEAP/TTLS MSCHAP alikes minus EAP-TLS?
I'd imagine this by either 2 virtual server instances or an unlang statement checking the SSID the request comes from - right?
e.g.
User-Name matches host/..., do EAP-TLS and make sure we issued the cert.
OK, that's a point. I imagine that at some point one really has to think about EAP-TLS in an environment with company-owned devices. I absolutely see the point of EAP-TLS, if properly implemented, it's likely the most robust and secure method of any EAP methods.
Otherwise, if User-Name matches /@/, treat as user. I get the idea.
After reading, all points towards EAP-TLS in the end + a couple of additions to check things to make up the whole concept. Again, thanks. -- Mathieu
participants (2)
-
Mathieu Simon (Lists) -
Matthew Newton