Can I permanently authorize a client?

  • 1
  • Question
  • Updated 2 years ago
So here's my dilemma:

We have an iPad that we use in the office for patients to check in for their appointment. We have 2 WiFi connections available to use. #1 is our private network and #2 is our patient / public network. If I connect to option 2 the iPad has to open a web page and accept the TOS before it can continue functioning. If I use option 1, every 10-15 min a staff would have to input their AD username/password for the internet to continue functioning. Is there any way I can just whitelist the MAC address of this iPad on either connection to bypass these issues? We have a ZoneDirector but I don't recall what model off the top of my head.

Thanks in advance!
Photo of Chris Huff

Chris Huff

  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Sean

Sean

  • 346 Posts
  • 88 Reply Likes
You can MAC Auth clients using  a Radius Server:

https://support.ruckuswireless.com/answers/000001847

Good Luck
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 137 Reply Likes
From a security standpoint I'm not sure I'm as much of a fan of MAC auth as I am of loading a DPSK or something onto the iPad itself.
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 332 Posts
  • 81 Reply Likes
If you have "modest" environment you might not have a radius server. If you have still not a simple click a few buttons job.
--
This might seem overkill for one device but it'll do what you want. Could regard it as a quick dirty fix.
Create a new WLAN called IPAD
use an ACL list with the ipad MAC in it and assign that list to IPAD.
screenshots in a minute.

In ZD
configure
access control
L2-L7 access control
create new....
add in MAC of ipad...save



create new WLAN
configure
WLANS
create new... edit as required
access control drop down menu should have the IPAD ACL list (you previously created) as an option.




As John correctly mentioned this is not as secure as other methods and is not "good practice" unless you know how to lock your IPAD WLAN down in other ways.

Minor simple improvements include
not broadcasting the IPAD wlan,
restrict to one client (yours) for the WLAN on that AP (stops any other device from connecting)
restrict it only to IOS devices,
assigning WLAN to only one of your APs on 5GHz,
reducing the power output of that AP WLAN to minimum needed,
scheduling the WLAN (7AM-7PM say),
limiting throughput...

look through the options and figure out what you need bearing in mind they can occasionally have unintended outcomes!

If you restrict to one client connection and add in a long inactivity timeout (say 60mins...if you are busy practice then that shouldn't be an issue) the ipad would hold the connection and no other device could use that WLAN.

etc
(Edited)
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 332 Posts
  • 81 Reply Likes
After re-reading realised that this is public facing and not internal so the security is a little less problematic.
By creating a new WLAN (ipad/visitor/sign-in whatever) and only allowing your ipad to use it you are leaving your existing patient/public network untouched.

At school I use MAC authentication a lot as our devices stay on premises and change rarely. Effective, "old school" and less secure but practical, it works and only devices I authorise/lay hands on can connect.