How to Block iphone and other devices when using 802.1x PEAP+NPS

sroberts · ‎02-25-2012

Hello,

I'm looking for a solution to block iphones and other devices that are not part of the domain.

We are using 802.1x PEAP authentication with NPS to authenticate the users. This is working fine but the problem is that

a user can use his userID and password to logon with another device that is not part of fomain.

NPS does not seem to be able to force machine authentication+user authentication at the same time like ACE can do.

Does anyone know a solution that can do this with microsoft NPS without having to buy ACS or ISE?

Thanks

SR

Scott Fella · ‎02-25-2012

SR,

It seems like the only way to do what you want is to use machine authentication and not use PEAP with username and password. You mentioned that you only want domain devices on the network, so it seems like machine authentication will be your best bet.

-Scott
*** Please rate helpful posts ***

dharmendra2shah · ‎07-17-2012

Even we found out that NPS server can either do machine authentication or user authentication but not both at the same time. If ACS server can do it then why can't NPS server.

We have enabled machine authentication for domain enterprise users and it keeps personal iPAD / iPHONES away from our network.

But how do we accommodate iPads issued to executives who would like to connect to domain enterprise network. They are an object in Active Directory.

iPads are only capable of passing user / password. They cannot pass machine credentials.

How secure is MAC addres filters or ISE is the answer.

Ds

Scott Fella · ‎07-18-2012

ISE is the answer, because you can profile and then look at the device to determine if the device is allowed or not. ACS does MAR, which is a workaround in my book and isn't suggested. The issue is a wired device that goes wireless, and vice versa, is not seen by ACS as machine authenticated when tey switch from wired to wireless or the other way around. Also, MAR has a time value, so when that value4 expires, any reauth, the client needs to reboot.

-Scott
*** Please rate helpful posts ***

dharmendra2shah · ‎07-27-2012

Thanks Scott. We are evaluating ISE in our LAB environment. Out of curiosity would you know the technical reason why NPS can’t handle user & machine authentication both at the same time?

Ds

Scott Fella · ‎07-27-2012

It's not NPS. It's Microsoft:) Windows 7 only does user OR machine, not both.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dharmendra2shah · ‎08-24-2012

Scott,

We are planning to use a supplicant recommended by Cisco know as NAM (Network Access Manager) part of "Cisco Any Connect Mobility Client".

Using "Any Connect Profile Editor" we an create an .XML file and can pass both Machine & User Credentials.

Will the NPS server be able to handle it then?

Let me know if you have something like this?

Ds

Stephen Rodriguez · ‎08-24-2012

Well, with windows, one superseceds the other. But doing machine authentication doesn't keep iOS devices off of the network. ISE with profiling to deny if iOS or not part of the domain would be the better way to go.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella · ‎08-24-2012

I dont know if that will work with NPS or not. That might be a feature for use with ISE.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***