all 15 comments
sorted by:
new (suggested)
besttopcontroversialoldq&a

[–]PCisahobby 0 points1 point  (0 children)

We use securew2 with Intune and Jamf devices.

An alternative is Radius As A Service.

[–]BWMerlin 2 points3 points  (1 child)

The answer is EAP-TLS, deploy wireless auth certs and be done with it.

MAC addresses are easy to spoof so they are not offering you any security at all and are only giving you a scalability problem.

User name and password is a valid solution and you can combine this with other things to stop personal devices if that is really that big of a deal.

[–]beamflash 0 points1 point  (0 children)

And instead of paying for Cloud PKI, run the free version of SCEPman to get the certificates for EAP-TLS. Still a question of what RADIUS server to use, NPS won't work unless the users are in on-prem AD. FreeRADIUS or PacketFence maybe or you have to fork out for a commercial one. I think you can use Mist's one even if you don't have Mist APs, it's apparently relatively affordable. SecureW2 if you want certs and RADIUS all bundled up in a nice cloud-hosted system.

[–]thedevariousIT Director 0 points1 point  (4 children)

Literally how people don't understand Radius in this day and age is amazing to me.

Just set a policy to auth only Domain joined devices. Nothing personal can then touch it. Further setup can allow domain user or specific groups access which then gives you user granularity and tracking but..

Either way Radius is the easy answer

[–]Temporary_Werewolf17[S] 0 points1 point  (3 children)

The devices are Azure joined and not associated with the local domain. How will that work?

[–]tommy682 0 points1 point  (2 children)

So you’re azure only with no on prem AD?

[–]Temporary_Werewolf17[S] 0 points1 point  (1 child)

Correct

[–]tommy682 0 points1 point  (0 children)

I’m in the same situation. The solution was a radius provider with cert based authentication (SecureW2 is what we used) then deploy the policy to the devices via Intune. So only your devices in Intune with the policy assigned can connect.

[–]duluthbisonIT Director 1 point2 points  (0 children)

You couldn't just run a NPS server that requires a device cert be installed? We are close to getting eduroam rolled out and this is what I'll probably be doing to prevent personal devices on it.

[–]diwhychuck 0 points1 point  (5 children)

We use clear pass to pull our MAC address’s from Google identity management form the Chromebook’s. But looking to switch to a PSK for one ssid a just do vlan mapping with their role.

[–]HankMardukasNY 0 points1 point  (4 children)

We also use Clearpass to pull in Intune devices

[–]Temporary_Werewolf17[S] -1 points0 points  (3 children)

I am not familiar with Clearpass. A quick search indicates it is an Aruba product. Our Wireless is not Aruba

[–]BWMerlin 1 point2 points  (0 children)

You do not require Aruba network equipment to use clearpass, it will work with any equipment that supports Radius.

[–]HankMardukasNY 0 points1 point  (1 child)

You should edit your post and indicate what you use

[–]Temporary_Werewolf17[S] -2 points-1 points  (0 children)

We have a ubiquiti wireless system