IoT Devices on WPA2 Enterprise network

A Former User

Want to be sure I'm not missing something. If I am I would be super happy to learn.

There is no setup that makes any sense that would allow devices like printers, Sonos speakers or kindles to connect to an enterprise network.

Put another way, any setup that would allow a device to connect to any network based only on MAC address is a very bad idea.

In case it matters I have Unifi APs (4 nanoHD), Cloud Key and Cisco small business switch (SG-220-50p) using FreeRadius on pfsense 2.4.5-p1. Unifi offers something called "Radius MAC Authentication", not sure exactly how that feature works in practice. I couldn't get normal EAP-TLS to work with it tuned on.

As an aside, Unifi makes this a bit of a pain. You can not use any vlan that is associated with a wpa personal network for dynamic (Radius) vlan assignment on a wpa enetrprise network. I spent way to long wondering why I couldn't assign my 'home' vlan dynamically on an enterprise network. I thought for sure I had configured something wrong. A quick search on the Ubiquiti forum set me straight. <facepalm>

johnpoz

@jwj

I played with this for a while.. Quite some time ago, as I was thinking of dynamically assigning devices to vlans based on mac as well. Or their radius normal login.. In the hope to get down to 1 single ssid. And then just assigning either by your login or your mac etc. Guest would get thrown into the guest vlan, my iot devices would get put into the appropriate vlans, etc.

But since these iot devices have not support for enterprise login, you still have to have 2 different ssids, one where you use enterprise, and another where you don't for devices that don't support it.

So while I did get the dynamic assignment to work with psk ssid.. It just easier to just leave my ssid for the different vlans in place..

I use eap-tls for my trusted devices, phones, laptops, tablets, etc. While iot devices join the respective vlan based upon which ssid they use. And there is a guest vlan as well for friends and family that come over..

On a side note, since users are really lazy - and would never want to type in my very complex psks.. I printed up some cards with qr codes they can scan on their phones ;)

In a perfect world these iot devices would support enterprise auth.. But I don't see that happening any time soon..

A Former User

@johnpoz Thanks John!

I'll have to think through if I want to continue with the WPA2 Enterprise for what would be marginal improvements. One ssid and all of the logging sure seemed great. Oh well...

NogBadTheBad

@jwj

I don't think the Unifi kit support 802.1x and any form of WPA on the same network segment even if the SSID is different.

I'm with @johnpoz on the guest WiFi and QR codes.