Restricting users to AD domain computers
Hi, I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Windows domain, and not phones, ipads, etc, and do this in a reasonably secure fashion. There are a couple of hundred laptops involved, so I'd like to avoid having to do much in the way of client-side configuration, but I suspect that client certificates may be the only answer. I've been searching for a number of weeks, and I haven't found any other real solution. Thanks in advance, Bryce
On 11/10/12 11:03, Bryce Mackintosh wrote:
Hi,
I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Windows domain, and not phones, ipads, etc, and do this in a reasonably secure fashion.
Can you be more specific here? Do you want to authenticate *first* the computer and *then* the user via 802.1x? If so, that could be tricky - Windows doesn't support >1 auth inside the PEAP tunnel.
There are a couple of hundred laptops involved, so I'd like to avoid having to do much in the way of client-side configuration, but I suspect that client certificates may be the only answer.
How do you think they may be "the answer"? IIRC you can't use client certs with PEAP in windows.
On 11 October 2012 11:45, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 11/10/12 11:03, Bryce Mackintosh wrote:
Hi,
I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Windows domain, and not phones, ipads, etc, and do this in a reasonably secure fashion.
Can you be more specific here?
Do you want to authenticate *first* the computer and *then* the user via 802.1x? If so, that could be tricky - Windows doesn't support >1 auth inside the PEAP tunnel.
In the ideal world it would be nice to authenticate both the machine and the user, but it does seem you can only do one or the other. We've considered filtering by MAC address, but that would be an admin headache, plus they can be easily spoofed. Could also filter by hostname, but then again that's easy to spoof. Okay, ignoring how I currently have things setup, how would other people go about controlling the users and devices on a wifi network by means of 802.1x, freeradius using AD for authentication and Win XP Pro SP3 clients. I'd have thought that this was a fairly common requirement in the enterprise world, so I'm surprised there's not an obvious solution, or am I missing something? At the moment it looks like we'll have to abandon 802.1x and go back to WPA2-PSK.
There are a couple of hundred laptops involved, so I'd like to avoid having to do much in the way of client-side configuration, but I suspect that client certificates may be the only answer.
How do you think they may be "the answer"? IIRC you can't use client certs with PEAP in windows.
Doh! I'd forgotten that!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 11/10/12 12:55, Bryce Mackintosh wrote:
Okay, ignoring how I currently have things setup, how would other people go about controlling the users and devices on a wifi network by means of 802.1x, freeradius using AD for authentication and Win XP Pro SP3
We don't bother. It's not obvious why "controlling the devices" is useful.
clients. I'd have thought that this was a fairly common requirement in the enterprise world, so I'm surprised there's not an obvious solution, or am I missing something? At the moment it looks like we'll have to abandon 802.1x and go back to WPA2-PSK.
Eh? How does *that* help? If you really want to do this, then: 1. Use machine auth for 802.1x 2. Use policies *on* the machines to control the users
On 11 October 2012 14:48, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 11/10/12 12:55, Bryce Mackintosh wrote:
Okay, ignoring how I currently have things setup, how would other people go about controlling the users and devices on a wifi network by means of 802.1x, freeradius using AD for authentication and Win XP Pro SP3
We don't bother. It's not obvious why "controlling the devices" is useful.
IT policy here requires that there's no unapproved/unsupported devices on our network. With the current test PEAP-TLS configuration anyone could use their AD account to connect any device to the wifi network, rather than just the laptops they've been issued.
clients. I'd have thought that this was a fairly common requirement in
the enterprise world, so I'm surprised there's not an obvious solution, or am I missing something? At the moment it looks like we'll have to abandon 802.1x and go back to WPA2-PSK.
Eh? How does *that* help?
It's what we have currently in production, and only IT know the key, so we can at the moment control what gets on our wifi network - at least at my site
If you really want to do this, then:
1. Use machine auth for 802.1x 2. Use policies *on* the machines to control the users
Management currently (they didn't initially) consider machine auth more important than user auth for access to the new wifi network. As I can only have one or the other via 802.1x, I'll focus on getting the machine auth working and go from there. -- Bryce
Bryce Mackintosh wrote:
I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Windows domain, and not phones, ipads, etc, and do this in a reasonably secure fashion.
That's not how EAP works. If they authenticate, they're authenticated.
There are a couple of hundred laptops involved, so I'd like to avoid having to do much in the way of client-side configuration, but I suspect that client certificates may be the only answer. I've been searching for a number of weeks, and I haven't found any other real solution.
Whitelist the good devices, and disallow anything else. Alan DeKok.
participants (3)
-
Alan DeKok -
Bryce Mackintosh -
Phil Mayers