locked
Policy for User on specific Computer RRS feed

  • Question

  • Hi all,

    I want to create a simple rule to determine if a domain user is using a non-domain device (lets call it BYOD - Bring Your Own Device)

    This is a school situation. I have two SSID's, one for domain devices, one for BYOD devices.
    I have two groups, "Domain users" and "BYOD users" - which both are populated with domain user accounts.

    So far I have implemented PEAP EAP-MSCHAPv2 domain wide. I do have a PKI, but with domain connected Mac's that don't auto-enroll for certificates, I have left PEAP-TLS for another day. I am using a Ruckus controller. 

    I 'd like the following constraints:

    • Domain Computer (pre login) from SSID1 - allow
    • Domain User (in Domain users group), using a Domain Computer, from SSID1 - allow
    • Domain User (in either group), using a foreign device, from SSID1 - deny
    • Domain User (in BYOD group) using a foreign device, from SSID2 - allow

    I do have a Vendor-Specific code for the RADIUS attribute, I assume I can use this to only allow certain SSID's specific policies (Or can I use Calling Station ID?)

    My aim is: You might have user access on a domain wireless computer, but you may not on your on BYOD.

    Can I achieve this?

    Saturday, October 13, 2012 4:24 AM

Answers

  • Hi,

    I don't think you can achieve this because it sounds like you are trying to do bonded 802.1X authentication.

    There are two phases of 802.1X authentication and unfortunately they are completely independent of each other. You mentioned the first one above which is "pre login" - only machine credentials are exchanged. There is no user information. When a user logs on a new authentication session occurs and there is another attempt to match a policy on the RADIUS server. This new session only has user information.

    If you have a policy with both a computer condition AND a user condition it will never match because neither of the authentication attempts contain BOTH of these sets of credentials.

    Some switch and AP vendors have modifications to 802.1X that try to achieve bonded authentication through MAC address tables and similar methods. I don't have experience with these but I understand they can have problems when (for example) a device awakes from hibernation.

    -Greg

    P.S. It is possible to change the authentication (AuthMode) to machine only and deny non-domain devices. All the BYOD devices would be denied but you could have a guest network for them.

    Saturday, October 13, 2012 7:22 AM

All replies

  • Hi,

    I don't think you can achieve this because it sounds like you are trying to do bonded 802.1X authentication.

    There are two phases of 802.1X authentication and unfortunately they are completely independent of each other. You mentioned the first one above which is "pre login" - only machine credentials are exchanged. There is no user information. When a user logs on a new authentication session occurs and there is another attempt to match a policy on the RADIUS server. This new session only has user information.

    If you have a policy with both a computer condition AND a user condition it will never match because neither of the authentication attempts contain BOTH of these sets of credentials.

    Some switch and AP vendors have modifications to 802.1X that try to achieve bonded authentication through MAC address tables and similar methods. I don't have experience with these but I understand they can have problems when (for example) a device awakes from hibernation.

    -Greg

    P.S. It is possible to change the authentication (AuthMode) to machine only and deny non-domain devices. All the BYOD devices would be denied but you could have a guest network for them.

    Saturday, October 13, 2012 7:22 AM
  • Hi Greg,

    Thanks for your explanation - now that you have answered I can see this has been asked many times before :)

    You have made some suggestions, I guess my options are:

    • Change the wireless configuration to be authentication: Computer only (so users are ignored) therefore I can create a user policy with 'station called' to lockdown user authentication to a specific SSID. Unfortunately this will have issues with domain connected OSX clients - I haven't yet found a way for them to also run in Computer Authentication mode.
    • I guess locking down by MAC address? (even though this isn't really that secure)
    • Possibly tricking it with a health rule although not foolproof?
    Sunday, October 14, 2012 9:28 PM
  • Hi Matthew,

    I think you have it. Your idea of using a health rule is interesting. If you mean a NAP health rule, this will only work on Windows devices (for the most part). You are right that a non-domain device could start up the NAP agent and enable the correct enforcement client but this is unlikely.

    -Greg

    Monday, October 15, 2012 4:02 AM