locked
Corporate Wifi - iOS Devices prompting for cert RRS feed

  • Question

  • Hi

    We have FortiNet AP's setup for testing at the moment, which will do Radius Athentication to our Windows RAD Server

    I have the following configuration:

    Connection Policy: 

    NAS Port Type: Wireless - IEEE 802.11

    PEAP Authentication - with a cert selected which i requested recently.

    Network Policies:

    Unspecified Network Access Server

    User Groups: Domain\WiFi

    Authentication: PEAP + EAP-MSCHAP v2 + MS-CHAP-V2

    This all works, so a client can connect to the WiFi and it checks for the certificate and username/password etc.

    Now when i attempt to connect a mobile to the corporate WiFi, it prompts me for username and password and then prompts me to trust the certificate and it connects to the Network.

    I want to stop this

    I dont want mobiles connecting to the Corporate WiFi unless they are company mobiles

    How can i achieve this?

    Wednesday, July 1, 2015 12:13 PM

Answers

  • Hi,

    In general, as 802.1x authenticated wireless deployment, we use wireless security groups in the Active Directory Users and Computers MMC snap-in to control who can access your network. New a security group which contains user who are allowed to connected. And add this group to the network policy and configure it allow permission.

    If you want to limit the device itself, such as non-domain joined IPhone, it might need more assistant software/devices.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2015 6:08 AM

All replies

  • Hi,

    According to your description, my understanding is that you want to limit the connection of phones to your corporate wireless network. Limit the account(which has wireless connection permission) and assign the account to specific users would be the simplest way.

    In general, by using NPS/RADIUS, user name, password and certificate are the main determinants to allow phone to connect to wireless network. If you want to allow “authorized” phone to access the network, I am afraid that only NPS/RADIUS unable to implement this function. You may consider of Microsoft Intune. Detailed information you may reference:
    https://technet.microsoft.com/en-us/library/jj676587.aspx

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 2, 2015 9:05 AM
  • Hi,

    According to your description, my understanding is that you want to limit the connection of phones to your corporate wireless network. Limit the account(which has wireless connection permission) and assign the account to specific users would be the simplest way.

    In general, by using NPS/RADIUS, user name, password and certificate are the main determinants to allow phone to connect to wireless network. If you want to allow “authorized” phone to access the network, I am afraid that only NPS/RADIUS unable to implement this function. You may consider of Microsoft Intune. Detailed information you may reference:
    https://technet.microsoft.com/en-us/library/jj676587.aspx

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    I want to be able to stop Phones from connecting to the WiFi

    This is fine for Windows Phones (As you have to manually install the Cert) but on iOS Devices it prompts you to install the cert, you install and your connected

    Friday, July 17, 2015 10:53 AM
  • Hi,

    In general, as 802.1x authenticated wireless deployment, we use wireless security groups in the Active Directory Users and Computers MMC snap-in to control who can access your network. New a security group which contains user who are allowed to connected. And add this group to the network policy and configure it allow permission.

    If you want to limit the device itself, such as non-domain joined IPhone, it might need more assistant software/devices.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2015 6:08 AM