none
NPS authentication for smartphones using calling-station-ID parameter AND AD group membership RRS feed

  • Question

  • Hello everybody,

    In ou organisation,  we got currently an WLAN ESSID for smartphones. Those smartphones are authenticated at the moment by a RADIUS server (Windows 2008 - NPS role) where authentication occurs as such:

    -A new network policy for every new smartphone that is allowed
    -The network policy for smartphone conditions are:
    1

    Calling-station-ID (mac address of the allowed smartphone)


    2

    Called-station-ID (ESSID or WLAN name)


    3

    Windows group membership of the smartphone owners



    This lead to an annoying situation where you have for each and every smartphone a network policy entry in NPS.

    I was wondering if there were any other way or method that could be used in order to get only one network policy for all smartphone. 
    The windows group for smartphone owner has members that are allowed to use the smartphone wifi. But they can have multiple devices. So each device that is owned by one person should be authenticated.

    Since the Called-station-ID and the windows group membership are static and remains the same for RADIUS conditions, is there a way to get the Calling-station-ID also static? Meaning, is it possible, for example, to authenticate the Calling-station-ID against an AD group for example ? So we have 3 static conditions and no need anymore to create a specific network policy for each an every smartphone.

    The authentication method currently used is PEAP with EAP type EAP-MSCHAPv2.
    The NAC device is a motorola RFS6000 WLAN controler switch.

    Thank you.
    M S
    Sunday, May 26, 2013 2:10 PM

Answers