We've recently deployed a new wireless infrastructure using 4404 WLC's and 1131 Access Points. We have 2 WLAN's, one secured using RADIUS (Microsoft IAS on Win2K3) and PEAP. The other a public guest access using the WLC web authorization.
We have discovered that iPhones and iPod touches are able to connect to the secure WLAN with only their AD credentials. They are then prompted to accept the certificate and granted access to the secure WLAN.
Our domain machines require the certificate the be installed via group policy, so I'm unsure how the Apple devices are pulling down the cert.
Does anyone have any suggestions on how to block this behaviour? We would like these devices to only use the guest web-auth access.
The solution has been added in the below mentioned document:-
Solved! Go to Solution.
I beleive that this is the normal behaviour for a PEAP enabled network. If you like to use certificate based authentication, you'd need to use TLS with user certificates.
The current behaviour (as far as I understood it) is completely correct.
But Windows clients have to have the certificate installed. If the client machine does not have the cert, it does not connect - no prompting for credentials or the cert. Why is this behaviour different for iPhones? Does this not defeat the purpose of using PEAP?
I also work at a school here where we use WPA2-Enterprise with PEAP.
The clients just need to accept the server cert, because Windows' default setting is to validate it. Apple iPhones (and I beleive OSX too) don't validate the certificate at all and simply accept it.
Try it in XP/Vista with the option "Validate Server Certificate" in the network-profile settings, disabled.
One idea is to use client certificates which you have to issue for each client. This requires a PKI.
An other possible way is to block the MAC addresses of the Apple devices on the DHCP (but not very secure).
Maybe you could also verify some Radius attribute on the radius server, like host type or operation system, but I don't have more information about that.
If all of your machines run Windows, then you can simply switch over to machine authentication. That will require a small of amount of reconfiguring on your IAS box (only validate machine accounts, not user accounts). On the Windows machines, it depends on what revision of XP you are running. SP2 and earlier computers are configured for machine auth in one manner (registry), SP3 machines in another (XML). Either way, your best bet is to use a GPO (group policy object) with Wireless Zero Config. If you are not running Wireless Zero Config are your wireless supplicant, then the GPO route won't work. The GPO route is nice because you can enforce the proper settings for your network, keep your network at the top of the preferred wireless network list, and disable ad-hoc wireless networking on the client. There is a fair amount of how to for all these things, google is your friend (or support.microsoft.com). Just remember - you want to enforce MACHINE ONLY authentication.
The other reply was also correct - you can use one of your Windows 2003 servers to host a PKI that issues machine certs to all of your computers. Microsoft has a nice article on how to set that up in a lab. PKI is simple to set up, but not simple to keep running, so get some outside help if you don't know what you're doing.
Who is providing the public cert in this case? Its either the ACS server or the the AD and can this behaviour be changed so that the public cert if not provided to the endpoint. Similar to VPN token authentication / the idea of PEAP is know something (AD credentials/PIN) and have something (public cert/token).
I was looking for a decent solution for exact same problem other than MAC ACLs on APs and found this discussion.
Did you try machine authentication?
Yes, I changed the Wireless GPO do use machine authentication only, and then changed the RADIUS policy to authenticate only Domain Computers. It seems to be working well.
We have a group of 'approved' iPhone users, which we added to their own security group in AD, and added them as well to the RADIUS policy. They are now the only ones who can authenticate with user credentials. All other devices must be domain members to connect.
what kind of authentication method are you using for machine authns (I mean EAP-TLS for client/server both etc)?
Are you using windows database or LDAP authentication in ACS?
I just like to make sure that ONLY machines which are member of my domain should be authenticated. Though, I haven't tested it but my feeling is that if a person using his personal laptop with the same name of a machine in the GPO may still get access to the network. As is the case with domain user/password credentials. As long as a user can configure the wireless profile on client, user can still login by simply copying any computer's name. Not sure where the security is. Any thoughts?
Though it resolves the problem of iPhones I guess.
Believe it or not, with PEAP in a machine authentication and a Microsoft AD world, each machine account has a password. Actual credentials are exchanged, and the machine is granted access. The passwords are even changes periodically, automagically.
so it means that if I have a personal machine with the same name as another wiereless machine which has access to the network then personal machine which is not part of my official domain will NOT access the wireless network?
It shouldn't. I don't believe it would be as simple as renaming the client machine to that of a domain member. The AD computer account is based on the UUID of the machine I believe and is also tied into the MAC address, although I could be wrong about the MAC part.
So, what should be the preferred way for machine authenticaiton, PEAP-TLS or just regular machine authentication?
Currently, I am using MS_Chap ver.2 for user authentications.
Sorry for lot of questions, but with Peap_MSchap ver.2, does user authentication also occurs?
Are you using Machine authentication only?
I'm not sure about ACS, as we aren't using it, but yes the GPO in AD is for machine auth only.
I'm using Microsoft IAS for RADIUS and the remote access policy authenticates Domain Computers only.
We are in the process of deploying a secure wlan using RADIUS (Microsoft IAS on Win2K3) and PEAP. We are using 4404's and a 5508 WLAN Controller. Do you know of a good design guide or cisco docs pertaining to the exact deployment you've done.
Thanks for your time
This is great as we have recently recognized that users with Macs and iphones can easily authenticate to our private wlan by just supplying their AD credentials. I then followed some of the steps up above and realized that if I unchek "validate server certificate" in a windows machine, the machine will connect no problem
So if I understand this thread correctly, the next step would be moving to "machines based" authentication instead of "user account" authentication? How did you then allow iphones/droid devices on that particular wlan? Thanks
Cisco ISE is another solution to your problem. It does device profiling so you can specify AD groups as well as devices that are permitted on a WLAN in any combination. Ex: administrators and anything-allow, teachers and windows pcs only -allow.
Sent from Cisco Technical Support iPhone App