When a registered device connects via MAC auth bypass on the "devices SSID" the device owner's username is entered in the user table on the controllers. This took a little tooling but is better than seeing the MAC address as the username as with typical PSK networks.
Device fingerprinting is VERY good at detecting/deflecting 802.1x capable devices off of the devices SSID. It is good at detecting device genres. Because vendors tend to use wireless stacks in a modular off the shelf fashion there can be false positives. A Kindle might identify as an Echo. This is fairly easily remedied with regular signature updates or by using custom signatures. Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 [email protected] PGP: 0x16777D39 On 9/25/20 7:24 PM, Lee H Badman wrote: > We did start down this path, fingerprinting was not terribly reliable, > at least in our trial a few years back. Part of why we opted to forgo > the cost and added support burden. I'm assuming it's gotten more > reliable? > ------------------------------------------------------------------------ > *From:* The EDUCAUSE Wireless Issues Community Group Listserv > <[email protected]> on behalf of Tim Cappalli > <[email protected]> > *Sent:* Friday, September 25, 2020 5:51:59 PM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Wireless Device Policy Questions > > Every device registered in CPPM has a username bound to the device > account. That username can be checked against an external > authorization source whenever the device connects. > > CPPM has had headless device registration since day 1 of the product. > > > ------------------------------------------------------------------------ > *From:* The EDUCAUSE Wireless Issues Community Group Listserv > <[email protected]> on behalf of Jennifer Minella > <[email protected]> > *Sent:* Friday, September 25, 2020 17:42 > *To:* [email protected] > <[email protected]> > *Subject:* Re: [WIRELESS-LAN] Wireless Device Policy Questions > > > I’ve seen a range from “no lifeguard on duty” aka “good luck” with a > basic low-security Internet-only network to managing specific device > registrations tied to the user; typically the personal device > registrations are going to be MAC -based, and I’ve seen several unis > with home-grown MAC registration systems tied to user accounts and of > course as Tim and Mike mentioned, ClearPass also does this. There are > some caveats (or specific requirements) with ClearPass though, if you > want it (the MAC-registered device) tied to the user’s account then > you need to be using a user-based authentication at the SSID profile > level; meaning, last I saw in POCs, there wasn’t a way to have a > self-registration portal within CPPM that allowed a user to enter > those credentials on something like the portal, then tie a > MAC-registration to it. Other products like FortiNAC do meet that > specific use case, as possibly other products as well. > > > > Most schools we’ve worked with do have some type of limit for devices > that can be registered but those do all have some type of self-service > portal so the students can add/remove their devices. The allowed > number of devices ranges. > > > > ___________ > > *Jennifer Minella*, CISSP, HP MASE > > VP of Engineering & Security > > Carolina Advanced Digital, Inc. > > www.cadinc.com > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295584367&sdata=d%2FZFguoxMqYoyJ9iIhJartuVEbF6UHNID0hL1%2Bj44K4%3D&reserved=0> > > [email protected] <mailto:[email protected]> > > 919.460.1313 Main Office > > 919.539.2726 Mobile/text > > CAD LOGO EMAIL SIG > > > > *From:* Michael Dickson <[email protected]> > *Sent:* Friday, September 25, 2020 10:29 AM > *Subject:* Re: Wireless Device Policy Questions > > > > We use Clearpass for user MAC reg portal and for device > fingerprinting. We have a special bit set in LDAP (AD) that we check > for when a device seeks to auth onto a wireless network. If we need to > prevent all user devices from getting connected we disable the bit. A > relatively short reauth interval will prevent reauths. > > Mike > > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639 > [email protected] <mailto:[email protected]> > PGP: 0x16777D39 > > On 9/25/20 10:25 AM, Tim Cappalli wrote: > > If you're using Aruba ClearPass, you can add an account check > during authorization. > > > > > > ------------------------------------------------------------------------ > > *From:*The EDUCAUSE Wireless Issues Community Group Listserv > <[email protected]> > <mailto:[email protected]> on behalf of Tristan > Gulyas <[email protected]> > <mailto:[email protected]> > *Sent:* Thursday, September 24, 2020 20:34 > *To:* [email protected] > <mailto:[email protected]> > <[email protected]> > <mailto:[email protected]> > *Subject:* Re: [WIRELESS-LAN] Wireless Device Policy Questions > > > > Hi, > > > > We're considering this approach, however we need a way to die this > in with AD account status/expiry which needs to be near-instant, > i.e. if an AD account/identity for a user is disabled, we need to > immediately deregister or suspend ALL devices they have registered > to their identity, otherwise things get ugly from an infosec > perspective. > > > > I'm assuming freeradius+web-based front end for registration? How > do you perform the device fingerprinting? That's a very cool solution! > > > > Cheers, > > Tristan > > -- > > *TRISTAN GULYAS* > > Senior Network Engineer > > > > *Technology Services, eSolutions* > > Monash University > > 738 Blackburn Road > > Clayton 3168 > > Australia > > > > E: [email protected] <mailto:[email protected]> > > monash.edu > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmonash.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295584367&sdata=CGHVNqxz3fYuAis2ZwJTNNzboGDyFeLc8OkQ6hoWIkU%3D&reserved=0> > > > > On 25 Sep 2020, at 3:11 am, Michael Dickson > <[email protected] <mailto:[email protected]>> wrote: > > > > We created a PSK SSID with MAC auth registration for devices. > We limit device types to essentially the "consumer grade > entertainment devices" genre. We use device fingerprinting to > accomplish this. We started from a "deny all then allow" > paradigm. Only game consoles during pilot. Then added video > streaming devices then AppleTV, Echo, SmartTVs, etc. Easier to > add device types then take away. 802.1x capable devices get > denied. We also limit number of devices a user can register. > All helps to mitigate the flood of industrial IT devices > coming in from campus wide vendors, some of which may fall > into the life-safety genre. Vendors get stuck and end up > asking how they can add "a lot" of sensors (e.g. HVAC) to our > wireless. We have a discussion, give it a thumbs up or down, > and create rules/policies/networks as needed. Good but not > perfect. But starting off closed then letting out the line has > helped. Having a PSK network also solves the issue of devices > that can't connect to open SSIDs. And if we end up just > allowing all on the devices network at least we have a sponsor > to tie the devices back to. > > Mike Dickson > > Michael Dickson > > Network Engineer > > Information Technology > > University of Massachusetts Amherst > > 413-545-9639 > > [email protected] <mailto:[email protected]> > > PGP: 0x16777D39 > > On 9/24/20 11:33 AM, Lee H Badman wrote: > > We created an open SSID for the dorms that has Internet > access only. It helps with maybe ¾ of the consumer > devices, but there are still some home gadgets that need > more- Chromecast is one example. Some speakers as well. > Then there are devices that will ONLY join PSK networks > (like TP-Link power strip) so the open won’t work there. I > have seen one Nanoleaf light controller that will not work > in 2.4 if it sees 5 GHz, and it only works in 2.4 despite > the ability to sense 5. The unholy and expensive things > needed to make these high end enterprise systems work like > home Wi-Fi is really fairly astounding. > > > > If you go this route, expect to occasionally buy and try > consumer gear to verify what works and what doesn’t, and > to play whack a mole with students wireless hotspots when > whatever you attempt doesn’t immediately work. > > > > Or… let them use their own hotspots and be done with it. > (If only…) > > > > Lee Badman > > > > > > > > *Lee Badman*| Network Architect (CWNE#200) > > Information Technology Services > (NDD Group) > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > > *t*315.443.3003 *e* [email protected] > <mailto:[email protected]> *w* its.syr.edu > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fits.syr.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295594311&sdata=PI6%2BksJIIskx21%2Fqz1%2BgWZaWHxcHPQmurngRYJxY0gU%3D&reserved=0> > > Campus Wireless > > Policy:https://answers.syr.edu/display/network/Wireless+Network+and+Systems > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295594311&sdata=LV3NWfPF0y9MXE000S9cvmcGzRRNsjISuN8ovR%2Ffqao%3D&reserved=0> > > *SYRACUSE UNIVERSITY* > syr.edu > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsyr.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295604305&sdata=nWqROxRuzUMTfCKRba0h%2BqvLeuYWtu6dx36wc80bs%2Bo%3D&reserved=0> > > > > *From:* The EDUCAUSE Wireless Issues Community Group > Listserv <[email protected]> > <mailto:[email protected]> *On Behalf Of > *Gernannt, Bill > *Sent:* Thursday, September 24, 2020 10:54 AM > *To:* [email protected] > <mailto:[email protected]> > *Subject:* [WIRELESS-LAN] Wireless Device Policy Questions > > > > All – > > > > From a residence hall perspective, Young Harris College is > a wireless only campus. We are currently seeing a 40% > increase in wireless devices over last Fall. This has > placed a bit of a strain on our wireless network and, by > extension, our tiny IT department. This has prompted > several internal discussions as to what expectations our > end users should have related to wireless support. > > > > Obviously, our core responsibility is to provide the > resources necessary to have a successful educational > experience. But, we also recognize there is a need for our > students to have access to online recreational activities > like gaming and streaming media. As we look to strike a > balance, we wanted to reach out to other institutions for > insight and guidance. > > > > Have any institutions implemented a restrictive policy > that prohibits specific wireless devices? If so, how did > you determine what was acceptable and what was not? How > did you get leadership to support the initiative? How do > you go about enforcing the policy? > > > > Have any institutions developed policies that set > expectations for wireless performance? What does the > policy consider to be necessary versus desirable? > > > > Any examples or ideas would be most welcome. Feel free to > reach out to me directly, if preferred. > > > > Regards, > > > > *Bill Gernannt* > > Network Administrator > > Information Technology Services > > 1 College Street | Young Harris, Georgia 30582 > (706) 379-5206|[email protected] > <mailto:[email protected]>|yhc.edu > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.yhc.edu%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295604305&sdata=HBpkaBHZgvJBUlwbyFTl64PnGY9jRRDMt23AX8g%2FyQA%3D&reserved=0> > > <image001.png> > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the > entire community list. If you want to reply only to the > person who sent the message, copy and paste their email > address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295614300&sdata=1wdAS6GKwL55LyRiALhbSd3DQlzGMi8CDt3d1URoPqA%3D&reserved=0> > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the > entire community list. If you want to reply only to the > person who sent the message, copy and paste their email > address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295614300&sdata=1wdAS6GKwL55LyRiALhbSd3DQlzGMi8CDt3d1URoPqA%3D&reserved=0> > > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the > entire community list. If you want to reply only to the person > who sent the message, copy and paste their email address and > forward the email reply. Additional participation and > subscription information can be found at > https://www.educause.edu/community > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295624295&sdata=%2BX%2FiDlPE3phGengx4bx19c9VpetBNeLS7zM0zNxLs4U%3D&reserved=0> > > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent > the message, copy and paste their email address and forward the > email reply. Additional participation and subscription information > can be found at https://www.educause.edu/community > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295634292&sdata=AdG4gJ9KFaRmuBIBUxp5eYhYY0HPSJAcUpPWMfPocgk%3D&reserved=0> > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent > the message, copy and paste their email address and forward the > email reply. Additional participation and subscription information > can be found at https://www.educause.edu/community > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295634292&sdata=AdG4gJ9KFaRmuBIBUxp5eYhYY0HPSJAcUpPWMfPocgk%3D&reserved=0> > > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at https://www.educause.edu/community > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295644282&sdata=s4Q6Bba4IPFyo4bMIlJMR6nIHifwt8UB0pvjn0E8X9Q%3D&reserved=0> > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at https://www.educause.edu/community > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C1bd96ed1b58041a0fac508d8619bd89a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637366669295644282&sdata=s4Q6Bba4IPFyo4bMIlJMR6nIHifwt8UB0pvjn0E8X9Q%3D&reserved=0> > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
