Unauthorized Apple iPODs & MAC notebooks connect to wireless

[guest]

I need to prevent Apple iPODs and Mc Notebooks from connetiong to my wireless network. Currently I have Server 2003 IAS Sever and Enterprise Certificate Services installed and configured on my network. Clients authenticate using domain account username and psasswords. Machine Certificates are installed on every domain client notebook using a GPO. These policies worked great for XP Pro and Vista Business clients. I have noticed however that Apple iTouch devices and Apple notebooks can connect to my wireless network if the owner has a valid domain username and password. How are these client machine negotianting a certificate?
I need to lock this down. I am sure this must be a common issue....
My Cisco Access Points are 1100 and 1200 APs. They are clients of the IAS server.
Thanks

[guest]

I am also seeing this issue. I have been pulling my hair out for a while trying to figure out something that is granular enough to deny the iPhones, iPod Touches, and Apple laptops that are owned by individuals but allow the devices that are owned and maintained by my institution.


The only thing I have found so far is to set up rules to deny specific clients based on their hardware address. This is a huge pain, and very time consuming, if I didn't need to worry about any Apple products connecting to my wireless network I would just set up a rule or rules to deny all Apple registered hardware address. You can find this list here.


http://standards.ieee.org/regauth/oui/index.shtml


Under NAP you really just have to make sure the rule is set to "Deny". Then under the "Conditions" tab I have 3 conditions set up.
1. "NAS Port Type" is set to "Wireless - IEEE 802.11 OR Wireless - Other"
2. "Calling Station ID" is set to the offending Apple hardware addresses separated by a "|" pipe. If you want to get all of Apple's registered hardware address you will need to make about 3 rules with the same conditions, with just the "Calling Station ID" condition different for each rule because they won't all fit in one rule with NAP they will with IAS. You can also put in wild cards for the hardware addresses. So for example if I just have 2 devices that I want to deny it would look like this "00:26:08:17:1E:2C|04:1e:64:e5:28:70". If I wanted to deny all devices with a hardware address starting with Apples registered hardware addresses I would put wild cards in for the 2nd half of the hardware addresses like this "00:26:08:*:*:*". They would still need to be separated with pipes though.
3. I don't know if other wireless systems can do this or not, but I have a Siemens wireless system (funny jokes aside) and it will send a "NAS Identifier". I have my wireless controller set to send this to the NAP server and it can be what ever you want, I just have it set to be my SSID's. You just have to have it the same in both places, wireless controller and NAP server. I have a couple of different wireless networks that I don't want these devices to have access to so mine looks like this.
"NAS Identifier" is set to "WiFi_CO|FacutlyStaff". This is useful because I do have a guest wireless network set up that these devices are allowed to access.


These rules have to be put in the list BEFORE your rules that allow the people to authenticate other wise they never get evaluated.


It would be great to have a "Windows Security Health Validator" client for Mac OS 10.x, but I haven't found anything yet. I am interested to try changing the certs like Matt suggested in the previous post, we have our own MS CA here in our domain, because my fix is a low tech pain like I said before.


--------------------------------------------
“Make the lie big, make it simple, keep saying it, and eventually they will believe it”
-Adolf Hitler (the man was pure evil, but he seemed to be right about some things)

[guest]

Other than switching to TLS, you can force windows clients to always use the computer authentication instead of using the user's authentication after login. Then you can remove the user accounts from authorized users.


Or ... can't you track down what user accounts are being used to put the rogue devices on the network and reprimand the offending users?