Hello,
I need some assistance in how can i separate out authentication methods for connecting mobile phones v/s laptop to our corporate wireless network. We have 2 different SSID's in our environment - example SSID-1 for mobile phones and SSID-2 to be used for laptops/domain joined computers. Both SSID's are setup on the same Cisco Access Point and both SSID's are pointing to the same Radius/NPS Windows server. The requirement is any mobile phones should only be able to connect to SSID-1 using MS PEAP (which is basically user only needs to enter their AD credentials) and all our domain joined laptops to connect to SSID-2 only using EAP-TLS certificate based method.
We first started with certificate deployment for laptops to enable them to connect to SSID-2 using EAP-TLS. This was completed successfully. We have created a network policy on our NPS server and have selected the authentication method as "Smart card or certificate ". In a nutshell, this is working fine. Any laptop which doesnt have the cert is unable to connect. Since Mobile phone's don't have the certificate , none of them were able to connect to SSID-2 (which is by design).
Now when i created another network policy on the same radius server to use MS PEAP as the authentication method for mobile phones , to our surprise we are noticing that mobile phones are able to connect to both SSID-1 and SSID-2 by user just having to enter their AD credentials . Technically phones should not be able to connect to SSID-2 because for it to work, the device needs certificates and mobile phones don't have one. We want the mobiles to be only connect to SSID-1. It's as if connectivity to both SSID's is getting authenticated by MS PEAP only.
This network policy is at a higher priority than the one above which uses EAP TLS so i am assuming the Radius server doesn't even pass on the connection request to the 2nd policy because all conditions are met by the this 1st policy. How can we restrict mobile phone to NOT connect to SSID-2 (since that defeats the purpose of not have certificates) ?
The Network Policy that uses MS PEAP has one condition added to it , which is basically a security group in AD. This Security group contains all the employees of our organisation so whosoever attempts to connect using their mobile phone to both SSID's get connected successfully. Also, in this policy the checkbox to "Ignore user's dial in properties " has been selected, so this network policy is processed at all times.
The 2nd Network Policy in order that uses EAP-TLS doesn't have any conditions added so it is pretty much wide open. In this policy , the checkbox to "Ignore User's dial in properties" is not selected.
All our domain user account have their Network Access Permission property set to Control access through NPS Network Policy in their "DIAL IN" properties in AD. This is by default.
What can i do such that mobile phone should only be able to connect to SSID-1 using AD credentials and not SSID-2 at all ?