Good afternoon everyone,
I've been researching this for awhile and can't seem to come across anything that points me in the right direction, so I'm hoping someone can assist. Currently people can connect to the corp wirless via 802.1x with their AD credentials on ANY device. How could I change that so when "Johnny" brings in his personal laptop he is not able to connect. I know it's cert based, but I'm not so sure if it's on the WLC or on the radius server. Thanks for any input!
in Microsoft IAS you can create a policy condition to only allow the Domain Windows Group Domain Users (can be any group) & Domain Computers.
Thanks for the reply! Have you ever heard of doing anything that's cert based? For example, I still use 802.1x for auth, but if someone brings a machine in that doesn't have the cert they won't be able to login even if they have a user/pass.
Sorry I have not, why don't you add MAC filtering? or if you really want to get crazy, add DHCP reservations for each client (pending its not hundreds), then create an ACL that only the DHCP reservation objects are permitted to what protocols you desire.
if you have AD environment with domain clients, you can start using EAP-TLS as authentication method for 802.1X instead of username/pass authentication (EAP-PEAP or MSCHAPv2).
With your AD domain you can simply create (or use existing) certification authority and with PKI tool on AD distribute certificates to every domain workstation. Certificate authentication can be machine-based (i.e. certificate for workstation needs to be pushed) or user-based (user certificate).
Once you finally distribute (can be done via automatic enrollment process for domain-member clients only, you just have to prepare PKI) and check if authentication working. Then you can limit authentication option on your AAA server to allow only EAP-TLS and you are done.
Similarly I hope you can prepare GPO for pushing correct settings for your wireless network to be automatically prepared without user interaction.