Dealing with Apple Watches?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Jan 30 19:27:37 CET 2020



> On Jan 30, 2020, at 9:28 AM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jan 29, 2020, at 1:13 PM, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
>> 
>> Howdy - So I'm not an "Apple Guy". I tolerate them, I support them, but I don't own them. I recently redesigned one of our office networks to split up departments into vlans (something that was on my list for a long time and desperately needed), and after some labbing, rolled it out last week. I intentionally kept the wifi out of the main distribution loop because I needed to really find out what levels of security the staff would permit. While I would love to enforce full EAP-TLS (or TTLS) some of that is difficult with transient workers, staff, and of course some devices that don't support certificates. So to wrangle this, I created a dedicated subnet (a little /27) and made it wpa2-psk. Simple test just to keep the bare minimum going. Except after giving two people the pwd, I ran out of scope. This seemed odd, how could two people eat up some 28-odd ip addresses? First thought, they blabbed. Turns out they did tell "only a couple of other people" - which is exactly what I needed to find out in this test - a psk is useless security in the workplace. That still didn't account for everything. So I cleared out all the ip bindings and watched as all the clients re-acquired ip addresses. 28 gone in a heartbeat. There weren't 28 people in the building. Half of these folks were "very-Apple-people". That means iMac, Mac-top, ipad, watch, phone, backup watch, backup phone..... and they all of course (in hindsight it's obvious) use their devices in "Default" mode which means accepting all of Apple's recommendations without reading them. After clearing the scope and changing the password, I went and worked with one user directly, typed in the credential myself on her laptop. While I was holding her phone, I got interrupted, and when my attention went back to the phone, I saw that it had already connected - how did it get the new key? I'm sure at this moment there are 50 admins talking to the screen saying "oh, all Apple users can set their devices to share and automatically connect as a convenience" - an item that I was not aware of prior. I took the test a step further and was able to observe that another user has credentials automatically pop up to his icloud account, wherein his ENTIRE FAMILY gets the credential.
> 
>  I don't think it's shared automatically.  But it is shared to known contacts who are close by.


There's two ways a PSK can be shared between apple devices.  Either using the credential distribution Alan described, where a notification bubble is shown on the device with the PSK asking to share the password with other known contacts close by, or between all devices sharing the same iCloud account.  In the case of iCloud, all keychain entries (Apple's credential store) are automatically synced between devices signed in using the same iCloud credentials.

It may be that it also works automatically with all devices in the same iCloud family, I can see what being a distinct possibility.

>> Not good. Definitely not good.
>> 
>> I'm sure this is happening in school campus scenarios where staff and students eat up scope from devices that shouldn't ever be permitted on a particular network, and since folks like the convenience, they sync their phones to their dtops, and no group policy is going to get in the way of that.
>> 
>> Does anyone have a workable solution to controlling this above? Is it "some auth" + Mac Auth? Or is it "give up on control and just make huge networks so there's enough scope"?
> 
>  MAC Auth is the way to prevent this automatic sharing.  The WiFi controller should be configured to send RADIUS Mac auth requests.  Which will help a lot in controlling this behaviour.
> 
>  Or, stop using PSK, and switch to 802.1X.

Yeah AFAIK 802.1X profiles aren't shared, even if the credentials might be.  In that case the other Apple devices won't automatically connect ot the WiFi network.

-Arran





More information about the Freeradius-Users mailing list