12-09-2010 05:55 PM - edited 07-03-2021 07:31 PM
Hello,
Is it possible to exclude mobile devices from joining a WLAN configured for PEAP-MSCHAPv2 if they have a valid username and password? Specifically we want to prevent iPhones, iPods, iPads, and iWhatevers from joining the network. An example being a corporate employee with a valid account on the domain who has a personal iPad. He gets to work, fires up his iPad, see's the corporate WiFi network (which is being broadcast), and types in his username/pw to gain access (ignores the certificate warning). I can't think of any way to get around this with PEAP-MSCHAPv2.
Any ideas would be appreciated.
Thanks,
Dom
Solved! Go to Solution.
12-09-2010 06:00 PM
PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..
Regards
Surendra
===
Please rate the posts which answered your quiestion or was helpfull
12-10-2010 01:45 AM
Hi,
If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).
This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.
Example:
In AD you have the DB of all the machines registered to the domain.
Users can only login to machines that belong to the domain and that had previously passed machine authentication.
Documentation:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-09-2010 06:00 PM
PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..
Regards
Surendra
===
Please rate the posts which answered your quiestion or was helpfull
12-09-2010 06:09 PM
Yeah, that would work. Not excited about the overhead (+5,000 wireless clients)...
You are the winner unless there is another great idea!
Anyone else?
12-10-2010 01:45 AM
Hi,
If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).
This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.
Example:
In AD you have the DB of all the machines registered to the domain.
Users can only login to machines that belong to the domain and that had previously passed machine authentication.
Documentation:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-10-2010 08:49 AM
Thanks, Tiago. This would be a much better approach for us. Unfortunately the authentication server is Microsoft IAS. I doubt that they implement such a feature. This may be a good approach for getting ACS in there! I think your answer is correct. I am going to confirm my doubts about Microsoft IAS not having such a feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide