Dealing with Apple Watches?
Ted Hyde (RSI)
thyde at rndstudio.com
Wed Jan 29 19:13:52 CET 2020
Howdy - So I'm not an "Apple Guy". I tolerate them, I support them, but
I don't own them. I recently redesigned one of our office networks to
split up departments into vlans (something that was on my list for a
long time and desperately needed), and after some labbing, rolled it out
last week. I intentionally kept the wifi out of the main distribution
loop because I needed to really find out what levels of security the
staff would permit. While I would love to enforce full EAP-TLS (or TTLS)
some of that is difficult with transient workers, staff, and of course
some devices that don't support certificates. So to wrangle this, I
created a dedicated subnet (a little /27) and made it wpa2-psk. Simple
test just to keep the bare minimum going. Except after giving two people
the pwd, I ran out of scope. This seemed odd, how could two people eat
up some 28-odd ip addresses? First thought, they blabbed. Turns out they
did tell "only a couple of other people" - which is exactly what I
needed to find out in this test - a psk is useless security in the
workplace. That still didn't account for everything. So I cleared out
all the ip bindings and watched as all the clients re-acquired ip
addresses. 28 gone in a heartbeat. There weren't 28 people in the
building. Half of these folks were "very-Apple-people". That means iMac,
Mac-top, ipad, watch, phone, backup watch, backup phone..... and they
all of course (in hindsight it's obvious) use their devices in "Default"
mode which means accepting all of Apple's recommendations without
reading them. After clearing the scope and changing the password, I went
and worked with one user directly, typed in the credential myself on her
laptop. While I was holding her phone, I got interrupted, and when my
attention went back to the phone, I saw that it had already connected -
how did it get the new key? I'm sure at this moment there are 50 admins
talking to the screen saying "oh, all Apple users can set their devices
to share and automatically connect as a convenience" - an item that I
was not aware of prior. I took the test a step further and was able to
observe that another user has credentials automatically pop up to his
icloud account, wherein his ENTIRE FAMILY gets the credential.
Not good. Definitely not good.
I'm sure this is happening in school campus scenarios where staff and
students eat up scope from devices that shouldn't ever be permitted on a
particular network, and since folks like the convenience, they sync
their phones to their dtops, and no group policy is going to get in the
way of that.
Does anyone have a workable solution to controlling this above? Is it
"some auth" + Mac Auth? Or is it "give up on control and just make huge
networks so there's enough scope"?
With decidedly less hair, many thanks,
More information about the Freeradius-Users