802.1x mobile devices

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › 802.1x mobile devices

fran1942

82 posts

Master Geek

Trusted

Topic # 146960 4-Jun-2014 09:16

Hello, in a corporate environment, you have your staff wifi users with mobile devices i.e iphones, tablets etc.
I understand it has not been feasbile to authenticate these users via wifi using 802.1x/radius/AD due to difficulties with certificates and the 802.1x supplicants on these mobile devices.
Therefore these staff mobile users are often put into their own speicial SSID with only PSK authentication. So it is essentially the same as a guest SSID but just with less firewalling restrictions i.e. no extra authentication security.

Is this still how things are done or do mobile devices now support 802.1x to such an extent that makes it feasbile to authorise them via 802.1x ?

Thanks for any advice.
How do you guys do it ?

lxsw20

2196 posts

Uber Geek
+1 received by user: 671

Subscriber

Reply # 1059052 4-Jun-2014 09:24

We have a separate VDSL connection for client WiFi and Mobile Device WiFi from our corporate internet connection. We use PFSense to a couple of Vlans to unifi gear to make it all work. Pretty simple setup really, but works well.

toyonut

1508 posts

Uber Geek
+1 received by user: 213

Reply # 1059055 4-Jun-2014 09:34

Ruckus Wireless 1100 with four AP's. All work issued equipment laptops, surfaces etc are on one network which is part of our internal network and authenticated by 802.11x and MS radius servers on our DC's.

Ruckus provides a staging portal for staff devices so we have another wlan on a separate vlan and IP range and staff can auth three devices each by logging in to the staging portal and generating a unique key that is tied to their username.
The automatic device provisioning normally fails to work, but it gives you the option to just view the key and then you can input it like normal.
There is also a guest portal which our reception can log into and generate a time limited password for a separate guest SSID.
The guest and staff wireless terminates on our firewall as an optional network so we have some control about what it can be used for.

I think most enterprise wireless solutions will have similar functionality.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

Inphinity

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

Reply # 1059057 4-Jun-2014 09:38

I don't see any reason you can't do RADIUS authentication for mobile devices, provided your APs support it. We do this, using UniFi APs and Windows Server 2008 R2 NPS.

Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

nigelj

856 posts

Ultimate Geek
+1 received by user: 125

Reply # 1059129 4-Jun-2014 11:58

802.1X is supported in most mobile platforms, Rags or nathan are best to comment about WP I won't pretend to know about then, but I'd pretty much die laughing/of shock if WP8 was unable to connect to a 802.1X network, as for 802.1X on Android/iOS, I know first hand that iOS6 and Android 4.1 (or was it 4.0 - I can't remember, it was a couple of years back now) can certainly connect to PEAP based 802.1X implementations.

To be fair, certificates are a bit harder, but most likely worth the extra effort if supported by the majority of devices.