Machine ID via 802.1X radius

Hey yall,

I am not sure how to word this correctly.. i got a buddy who is trying to gather some detailed info on his network.. so i figured I would try to help.

His setup is the following..

wifi users ---- LWAP----WC

AD

what he is trying to do is only allow domain users and their registered machines to work on a certain vlan while guest users can use their ipads, etc. Basically, nothing but confirmed hardware on the production network and on the guest vlan, anything goes.

what he is trying to gather is the machine id anywhere down the line between the wifi transmission to the AD. Is that even possible? he can only get mac, user id thus... any help is appreciated!

thanks again!

Find more posts tagged with

Comments

ptilsen

Extensible Authentication Protocol - Wikipedia, the free encyclopedia

EAP-TLS is what he needs as far as authenticating both users and devices.

To have a separate guest wireless network, the only mechanism I am aware of is to, well, have a separate guest wireless network. The network is plugged into a different switch, VLAN, or firewall port, and it turn sits on a different subnet that is prevented from access the LAN subnets either at the firewall or router level.

In this scenario, only a device with an x509 certificate (either stored on the operating system or on a smart card) operated by someone with valid credentials can get onto the internal wireless. This accomplishes the goal of restricting access based on hardware and user. Guests access a different wireless access point using a pre-shared key or no key. The guest wireless is either provided by a multi-SSID-capable device or by a second WAP. The WAP or secondary SSID's VLAN is prohibited from all LAN communication (unless some is deemed necessary), and only given access to the Internet (or resources deemed necessary).

Grabbing Machine ID (as in Hostname) does not accomplish anything in any scenario as like a MAC Address, this is spoof-able. There are also fewer possible hostnames and more ways to get a given node's hostname, so it would be a far less effective access control method than MAC addresses even if it were or is possible.

tokhss

That was some good info.. appreciate it!

Thanks!

thadizzy

tokhss wrote: »

Hey yall,

I am not sure how to word this correctly.. i got a buddy who is trying to gather some detailed info on his network.. so i figured I would try to help.

His setup is the following..

wifi users ---- LWAP----WC
AD

what he is trying to do is only allow domain users and their registered machines to work on a certain vlan while guest users can use their ipads, etc. Basically, nothing but confirmed hardware on the production network and on the guest vlan, anything goes.

what he is trying to gather is the machine id anywhere down the line between the wifi transmission to the AD. Is that even possible? he can only get mac, user id thus... any help is appreciated!

thanks again!

I'd look into the option to deploy two separate radius policys for the same 802.1X WLAN.
A EAP/TLS policy that assigns a dynamic VLAN for your corp. network.
A PEAP policy for BYOD devices that assigns a dynamic VLAN with only internet access (same VLAN as your guest WLAN terminates at most likely).

You can configure Cisco ISE to do PEAP authentication versus local guest users in the ISE, no need to add the guest users in the AD domain.

This allows you to authenticate for "Internet access" either via PEAP or webauth.
Abit more problematic if FlexConnect is used... not going there in the discussion