Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jberg712
Contributor

Identity Awareness for iPads

I have a question regarding Identity Awareness and iPad devices.  So our scenario is we have several networks each with iPad devices in them.  Not static IP's.  They authenticate to our wireless network via EAP-TLS on a Windows NPS RADIUS server.  When it comes to internet access, since these devices only use an object in AD with a certificate name mapping applied to to authenticate it, it's not recognized in IA with that AD object.  So there's not IA/authentication being performed on the iPad devices for internet access.  I'm trying to avoid using captive portal as i'm trying needing these devices to hit specific rules that allow them to communicate to icloud and other apple services that the rest of the network doesn't need.  

So my question is, is there a good way for Identity Awareness to be performed on an iPad device outside the captive portal?  Is there an Identity Agent for the iPad OS?  

I also attempted to see if the RADIUS Accounting option was an option but i'm not sure I understand how the IA RADIUS Accounting option works.  Maybe someone can enlighten on it. 

I initially assumed that the gateway would look to the RADIUS Accounting server/logs to match an identity.  Since my iPads already authenticate via RADIUS on the NPS server that perhaps the gateway would look to the Accounting logs and assume the iPad identity?  That doesn't seem to be the case.  So i'm not sure how to get RADIUS accounting to work with IA.  I can't find much in the admin guides about this setup/scenario where the RADIUS accounting option would be used in IA.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

There's acquiring the users via RADIUS Accounting and then there's associating those users to groups, which is necessary for Identity Awareness to work.
Do the users in question exist in AD and associate to specific groups?
What troubleshooting have you done on the gateway?

There is no identity agent for mobile devices that I am aware of.

0 Kudos
Sorin_Gogean
Advisor

Hey,

 

From "these devices only use an object in AD with a certificate name mapping applied to to authenticate it" - I suspect that the iPads have an AD object in order to have the certificate, or you push the certs through an MDM solution !?!?!?!?

Either way, you need to have an AD Object and made that object part of an group, so then you do Machine Identity and based on that AD group you could allow the Internet Access....

For the Radius Accounting, you need to point your WiFi authenticator to send Radius Accounting to the IC (Identity Collector) and that would grab the data from User/Machine Identity and use it.

btw, are you using Identity Collector ? If not, you could try it and you will be able to se User/Machine authentications and use those too...

 

Ty,

0 Kudos
jberg712
Contributor

@PhoneBoy 

The users don't have a log in they use on the iPads.  The iPads themselves only have a machine object with certificate name mapping.  I have tried applying them to a group and added an LDAP group with those devices.  Identity Awareness doesn't pick up on those.  The only troubleshooting for this has been to attempt to setup the RADIUS Accounting to see if it would pick those up.  I've only attempted to set it up to point to the NPS servers that are doing the RADIUS authentication and accounting.

@Sorin_Gogean 

I'm not sue if I'm using "Identity Collector" or not.

We are using an MDM with the devices.  The MDM uses SCEP with NDES to issue the device enrolled in the MDM to issue a certificate to the device.  Once that happens, I have to take the cert issued from the CA and apply it to the object in AD.

I think I see what you're saying about the Identity Collector.  Correct me if I'm wrong, but I believe what you're saying (and I thought this might need to be the setup as well) that when I configure RADIUS Accounting on the NPS server, it needs to point to the gateway?  When setting up Accounting in MS NPS, it only has 2 options for the data and that's in a SQL DB and/or local text file.  There's not an option that I can see that can offload the accounting to the GW that I can see.  Plus I don't think i've dealt with the Identity Collector before.  If that has an option to go and grab the data that may be what I need.

0 Kudos

From memory since this was a while ago NPS policy needs to be setup as a Radius proxy to forward a copy of the accounting data (port 1813) towards the Check Point Gateway.

As part of this configuration we need to understand which fields in the Radius accounting messages will provide the Username and IP address details for mapping against what is in the user directory (LDAP).

This was how we did it prior to Identity Collector at least but I suspect the NPS side hasn't changed greatly (except perhaps the dst IP.)

0 Kudos
jberg712
Contributor

@Chris_Atkinson 

Thanks Chris.  That was helpful as I was able to setup the firewall as a remote radius client and in my connection request just forward the accounting.  I have to set the correct attributes to what I need.  It appears there is an issue it retrieving the IP address in the default setting.  An SK I found said to set it as the NAS_IP which is the controller.  Doing that causes the device to be logged out when another one is attempted by the same IP.  I'll have to play with it some more, probably open a TAC case, unless you've seen something similar you can suggest

@PhoneBoy 

In theory, it makes sense to use RADIUS accounting because the RADIUS authentication on this particular wireless net is by device and not user.  So the attribute it's sending is correlated with a workstation object.  Then I can use an AccessRole group with the 'Machines' option for those devices to hit the rules I need them too.  Although, I am having the issue I mentioned above with the NAS IP address attribute being the same for all devices and seems to be forcing a log out.  At least that's what the logs are stating.  I have yet to thoroughly test it to be certain of this.

When it comes down to it, I'll certainly give Identity Collector a try.

1 question though about Identity Collector.  Is that at some point eventually going to replace AD Query?  Since the agent for IDC requires to be installed on a Domain Controller?

0 Kudos
PhoneBoy
Admin
Admin

Not sure how RADIUS Accounting will work with what is effectively a machine identity without a user logging in.
This is where you probably need to use Identity Collector.

0 Kudos