Machine Vs User Authentication for WPA2 Enterprise

airzone on 29/12/2017 - 00:12

So I recently caught out an employee who snuck their Xbox into work for some console gaming during the holidays.. He connected it to our LAN, and the switch notified me of the "illegal device". This is courtesy of 802.1x on the ports, authenticating client PC's based on their Machine AD account (only), and in this case, his xbox wasn't on my AD and fired a security alert. The look on his face certainly compensated my effort in walking to one of the factories in hot weather to bust him.

So this got me wondering.. I always have headaches with people attaching their mobile phones and iPads to the company WiFi using their AD User account. I have a guest network for them to use, but it's rate limited and people sook that they can't run netflix well on their phones during lunch. So I am constantly having to police it.

Why the hell aren't I using the Machine AD account for WiFi authentication?

It's the same AD, the same RADIUS servers, virtually the same config as the wired network.. I even deploy the WiFi profiles via Group Policy (with AD User Only authentication). I'd just have to make up a laptop group, dump the laptops in, change the RADIUS server to look in the new group instead of Authenticated Users and update the GPO. But for some reason, be it lazy convention or some unknown wisdom, everywhere I have had anything to do with WiFi & AD uses AD user accounts (until they gotten big enough to warrant installing certificate infrastructure to support EAP-TLS).

Computing

Comments

  • Clear on 29/12/2017 - 00:46

    Looked at doing this for WiFi years ago and it was a real PITA. Ended up using a UTM to achieve the same thing. Also useful for blocking streaming, social media and other sites during work hours and automatically unblocking during the lunch period. Keeps the staff happy.

    • [Deactivated] on 29/12/2017 - 06:05

      Hey Boss. Happy employee here.

      • iforgotmysocks on 29/12/2017 - 06:28

        Hey happy. Employee boss here.

      • Clear on 29/12/2017 - 08:20

        All searches to tight bottoms are blocked sorry.

    • airzone on 29/12/2017 - 09:24

      UTM is great - I've been using Meraki MX's for years. But the thing is that BYO phones and iPads are a headache for me - but someone could easily do the same thing with their laptop, and that has in the past been an unpleasant process for the people involved.

      More to the point, our customers are now starting to demand that the only things on our networks that have IP connectivity to the servers with their stuff on it are authorised devices, and I won't give carte blanche approval for everyone's personal devices. It's gone from a fairly low risk headache and will become a contractual problem in a month or so.

      • Clear on 29/12/2017 - 09:28

        One of my solutions has been to have Guest wifi on a separate vlan. That way their BYOD device can't connect to shared drives or anything like that while still being able to access the internet.

        • airzone on 29/12/2017 - 09:44

          That's exactly what I do.. It works well, when I can get people to stay on it. I could probably configure RADIUS to send back the guest vlan ID when something attempts to authenticate that doesn't match our naming standard for a stealthy solution. Or do machine auth instead of user auth and kick them out if there's no reason not to do that. Failing a technical solution, it'll be unpleasant administrative solution.

  • [Deactivated] on 29/12/2017 - 01:45

    Which way is cheaper?

    • airzone on 29/12/2017 - 08:57

      No cost on either. It's just config

  • bobbified on 29/12/2017 - 07:37

    I always have headaches with people attaching their mobile
    I have a guest network for them to use, but it's rate limited and people sook

    The simple solution would be to jack up the rate on your guest network. Why would you be against your employees watching Netflix during their lunch hour? It's something so simple that can make everyone happy.

    So I am constantly having to police it.

    Some extra bandwidth surely costs less than the time you spend having to constantly police it. It sounds like you actually enjoy walking around feeling god-almighty because you have the power to restrict access to the internet.

    And just a reminder, that these "people" you're referring to are not just any people. They are your employees! Sometimes, little things like this between employer and employee can go a long way.

    All I can say is, put yourself in their shoes.

    • airzone on 29/12/2017 - 09:15

      They're not my employees, and I don't care if they can't watch movies at work. I pay for fast internet at home so I can do that sort of thing in the comfort in my own home.

      It's a not enjoyment, it's a headache. Although it was pretty funny with the Xbox - "You (profanity)' IT people are everywhere".. I don't see that very often

Login or Join to leave a comment
Login Join