locked
Unauthorized Apple iPODs and MAC notebooks connect to my wireless network RRS feed

  • Question

  • I need to prevent Apple iPODs and Mc Notebooks from connetiong to my wireless network.  Currently I have Server 2003 IAS Sever and Enterprise Certificate Services installed and configured on my network.  Clients authenticate using domain account username and psasswords.  Machine Certificates are installed on every domain client notebook using a GPO. These policies worked great for XP Pro and Vista Business clients.  I have noticed however that Apple iTouch devices and Apple notebooks can connect to my wireless network if the owner has a valid domain username and password.   How are these client machine negotianting a certificate?
    I need to lock this down. I am sure this must be a common issue....
    My Cisco Access Points are 1100 and 1200 APs.  They are clients of the IAS server.
    Thanks
    ibjean325
    Wednesday, October 21, 2009 7:36 PM

Answers

  • I am also seeing this issue.  I have been pulling my hair out for a while trying to figure out something that is granular enough to deny the iPhones, iPod Touches, and Apple laptops that are owned by individuals but allow the devices that are owned and maintained by my institution.

    The only thing I have found so far is to set up rules to deny specific clients based on their hardware address.  This is a huge pain, and very time consuming, if I didn't need to worry about any Apple products connecting to my wireless network I would just set up a rule or rules to deny all Apple registered hardware address.  You can find this list here.

    http://standards.ieee.org/regauth/oui/index.shtml

    Under NAP you really just have to make sure the rule is set to "Deny".  Then under the "Conditions" tab I have 3 conditions set up.
    1. "NAS Port Type" is set to "Wireless - IEEE 802.11 OR Wireless - Other"
    2. "Calling Station ID" is set to the offending Apple hardware addresses separated by a "|" pipe.  If you want to get all of Apple's registered hardware address you will need to make about 3 rules with the same conditions, with just the "Calling Station ID" condition different for each rule because they won't all fit in one rule with NAP they will with IAS.  You can also put in wild cards for the hardware addresses.  So for example if I just have 2 devices that I want to deny it would look like this "00:26:08:17:1E:2C|04:1e:64:e5:28:70".  If I wanted to deny all devices with a hardware address starting with Apples registered hardware addresses I would put wild cards in for the 2nd half of the hardware addresses like this "00:26:08:*:*:*".  They would still need to be separated with pipes though.
    3. I don't know if other wireless systems can do this or not, but I have a Siemens wireless system (funny jokes aside) and it will send a "NAS Identifier".  I have my wireless controller set to send this to the NAP server and it can be what ever you want, I just have it set to be my SSID's.  You just have to have it the same in both places, wireless controller and NAP server.  I have a couple of different wireless networks that I don't want these devices to have access to so mine looks like this.
    "NAS Identifier" is set to "WiFi_CO|FacutlyStaff".  This is useful because I do have a guest wireless network set up that these devices are allowed to access.

    These rules have to be put in the list BEFORE your rules that allow the people to authenticate other wise they never get evaluated.

    It would be great to have a "Windows Security Health Validator" client for Mac OS 10.x, but I haven't found anything yet.  I am interested to try changing the certs like Matt suggested in the previous post, we have our own MS CA here in our domain, because my fix is a low tech pain like I said before.

    --------------------------------------------
    “Make the lie big, make it simple, keep saying it, and eventually they will believe it”
    -Adolf Hitler (the man was pure evil, but he seemed to be right about some things)

    Wednesday, February 24, 2010 4:40 PM
  • Other than switching to TLS, you can force windows clients to always use the computer authentication instead of using the user's authentication after login.  Then you can remove the user accounts from authorized users.

    Or ... can't you track down what user accounts are being used to put the rogue devices on the network and reprimand the offending users?
    Thursday, February 25, 2010 1:42 AM

All replies

  • What authentication methods do you have configured? Are you allowing EAP-MSCHAPv2 which is password based?
    Thursday, October 22, 2009 1:21 AM
  • I am having the same issue. Now that Apple 2.0 supports 802.1x authentication, I need a way to prevent non-domain devices (mainly ipods and iphones) from connecting to our wireless network. We are using  PEAP with IAS and MS-CHAP v2. it sounds like ibjean325 is using a simalr setup. We are using remote access policies to 1) check that the device is part of our wireless security group and 2) check that the user is part of our domain wireless users group. We also are using a self signed certificate that gets pushed out with group policy. This solution was previuously working great however now we are having instances where our domain users are just using there credentials to authenticate to our wireless network and downloading the certificate onto their iPhones and ipods which is granting them access. Please any help would be greatly appreaciated! 
    Tuesday, November 24, 2009 11:33 PM
  • I too am experiencing the same issues, and further research on the subject has yielded few results. We actually had a consultant tell us that it is not possible.

    I find this hard to believe. Have any of you found out anything more?

    Thanks!
    Tuesday, December 15, 2009 2:55 PM
  • I am also having this issue rise up and be noticed. I have worked inside the Radius server to try and restrict the Apple devices from authenticating, but I have found that they use EAP as the authentication Protocol, and the Windows machines need it also. I have pretty much the same needs as the others mention, my DHCP server is showing a bunch of these devices, and I am running out of valid addresses to use.
    • Proposed as answer by That__Guy Wednesday, February 24, 2010 3:55 PM
    Friday, February 19, 2010 8:50 PM
  • Hmm, regarding the certificates installed on the client machines, do they have their private keys marked as non-exportable? Perhaps this could prevent users from exporting the certificates to their iPhones or other machines/devices.

    Also, bman226, you mention using self signed certificates. I'm afraid you'll need to have a full PKI and have properly issued certificates from a mutually trusted CA. I'm guessing you are pushing down self signed certificates to your client's trusted root and using this same certificate on the NPS server? This has the effect of the NPS server making a self endorsed claim that it is in fact the NPS server; not a very trustworthy claim. The only self signed certificate should be the root CA's with every other certificate ultimately chained to it.


    Ensure you aren't using EAP-MSCHAPv2 or PEAP-MSCHAPv2 and only use PEAP-TLS. While PEAP-MSCHAPv2 and PEAP-TLS both use certificates for Server authentication, only PEAP-TLS uses certificates for both Server and Client authentication; PEAP-MSCHAPv2 still uses user/pass credentials for Client authentication. This is why the iPhone users can just install the root CA certificate as a trusted cert and use their credentials to authenticate with PEAP-MSCHAPv2.

    Configure your domain for auto-enrollment of certificates. If you enable web-enrollment for your CA, your users might still be able to obtain a client certificate to install on their rouge device.

    Read here for more: http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx


    Also, although we are talking about authentication here, the real issue is authorization. Ideally, we would want iPhones and other gadgets to authenticate as an iPhone or other gadget and then hit policies configured to deny those devices access.


    This TechNet forum post is provided "AS IS" with no warranties, and confers no rights. This entry reflects my own personal views and does not necessarily reflect the view of my employer.
    Wednesday, February 24, 2010 12:56 AM
  • I am also seeing this issue.  I have been pulling my hair out for a while trying to figure out something that is granular enough to deny the iPhones, iPod Touches, and Apple laptops that are owned by individuals but allow the devices that are owned and maintained by my institution.

    The only thing I have found so far is to set up rules to deny specific clients based on their hardware address.  This is a huge pain, and very time consuming, if I didn't need to worry about any Apple products connecting to my wireless network I would just set up a rule or rules to deny all Apple registered hardware address.  You can find this list here.

    http://standards.ieee.org/regauth/oui/index.shtml

    Under NAP you really just have to make sure the rule is set to "Deny".  Then under the "Conditions" tab I have 3 conditions set up.
    1. "NAS Port Type" is set to "Wireless - IEEE 802.11 OR Wireless - Other"
    2. "Calling Station ID" is set to the offending Apple hardware addresses separated by a "|" pipe.  If you want to get all of Apple's registered hardware address you will need to make about 3 rules with the same conditions, with just the "Calling Station ID" condition different for each rule because they won't all fit in one rule with NAP they will with IAS.  You can also put in wild cards for the hardware addresses.  So for example if I just have 2 devices that I want to deny it would look like this "00:26:08:17:1E:2C|04:1e:64:e5:28:70".  If I wanted to deny all devices with a hardware address starting with Apples registered hardware addresses I would put wild cards in for the 2nd half of the hardware addresses like this "00:26:08:*:*:*".  They would still need to be separated with pipes though.
    3. I don't know if other wireless systems can do this or not, but I have a Siemens wireless system (funny jokes aside) and it will send a "NAS Identifier".  I have my wireless controller set to send this to the NAP server and it can be what ever you want, I just have it set to be my SSID's.  You just have to have it the same in both places, wireless controller and NAP server.  I have a couple of different wireless networks that I don't want these devices to have access to so mine looks like this.
    "NAS Identifier" is set to "WiFi_CO|FacutlyStaff".  This is useful because I do have a guest wireless network set up that these devices are allowed to access.

    These rules have to be put in the list BEFORE your rules that allow the people to authenticate other wise they never get evaluated.

    It would be great to have a "Windows Security Health Validator" client for Mac OS 10.x, but I haven't found anything yet.  I am interested to try changing the certs like Matt suggested in the previous post, we have our own MS CA here in our domain, because my fix is a low tech pain like I said before.

    --------------------------------------------
    “Make the lie big, make it simple, keep saying it, and eventually they will believe it”
    -Adolf Hitler (the man was pure evil, but he seemed to be right about some things)

    Wednesday, February 24, 2010 4:40 PM
  • Other than switching to TLS, you can force windows clients to always use the computer authentication instead of using the user's authentication after login.  Then you can remove the user accounts from authorized users.

    Or ... can't you track down what user accounts are being used to put the rogue devices on the network and reprimand the offending users?
    Thursday, February 25, 2010 1:42 AM
  • Matt this is a really good post - you're exactly where I am with this - I have customers reverting to user-only authentication and relying upon non-exportable certificates to protect the network from potentially harmful computers.

    The issue I see is that NPS Network Access Policies cannot check that both the computer and user accounts are part of the correct security groups concurrently (at the same time).  I have only been able to get this working as an "or" statement - so either cert will do.

    I think we're all looking to find out if NPS can use a NAP to prevent users with valid credentials/cert getting onto the network without computer authentication as a prerequisite?   

    Cisco ACS offers the Machine Access Restrictions feature which performs this check, however this does introduce issues with part-reauthentication after a lengthy period of standby - and in a WLAN controller or RADIUS failover scenario... thats another story

     

    Thursday, September 2, 2010 3:59 PM
  • What about using UNETSHA to extend for apple devices?

    http://unet.co.kr/nap/index.html

    Curious...because I'm at a customer and I'm thinking about looking into this product.

    Thursday, October 14, 2010 4:58 PM