Can I restrict Radius authentication to specific number of devices?

  • 1
  • Question
  • Updated 5 months ago
I currently have ZD1200 set up using local database which binds the user to a specific mac address when they connect so the code cannot be used multiple times. Is there a way to use Radius/AD so that the user can connect a device to the SSID using their AD credentials, then that device is bound to those credentials so they can't connect another device with the same credentials (until an admin goes into ZD and deletes that binding)?
Photo of Nathan Kaa

Nathan Kaa

  • 18 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of David Black

David Black

  • 72 Posts
  • 40 Reply Likes
With RADIUS/AD, you cannot limit the number of concurrent logins. Instead, you could use DPSK where each device (mac) is tied to a unique key.  If using zero-it to allow users to self-provision (as opposed to batch provisioning), each unique key will be associated with a user's name in the controller.  You can also limit the number of keys per user to 1, 2, 3, 4, or unlimited.

Photo of Nathan Kaa

Nathan Kaa

  • 18 Posts
  • 0 Reply Likes
Just looking at some documentation with regards to Zero-IT and DPSK, in the set up it talked about using 802.1X EAP as the authentication option. Would that work the same, Zero-IT would use Radius (Windows Server) to authenticate, then the user would be assigned a DPSK, which has been bound to that devices MAC address, and I could limit the number of keys to 1 or 2?
Photo of David Black

David Black

  • 72 Posts
  • 40 Reply Likes
What controller are you using and how many users? Configuring external DPSK is very complicated and would normally be used only when the required number of DPSKs exceeds the max that a controller can manage.
Photo of Nathan Kaa

Nathan Kaa

  • 18 Posts
  • 0 Reply Likes
Its a ZD1200. For one site there are around 30 staff, which isn't many, however currently any DPSK codes are manually created, and I'm not on site all the time, so was hoping to have a way to let them connect devices without needing to a code to be manually created. 

So should I just create a list of users in the local database? 

Also what is the procedure when they connect, is there any documentation which shows this as that might help me understand the process and how to best set it up for our needs.
(Edited)
Photo of David Black

David Black

  • 72 Posts
  • 40 Reply Likes
If you’re on v10, a zd1200 supports a max of 150 APs, 4000 DPSKs, and 4000 clients. Why would you want to use external DPSK?
Photo of David Black

David Black

  • 72 Posts
  • 40 Reply Likes
You could set up a provisioning network and use zero IT. Users connect to the provisioning network and authenticate to either active directory or the local user database. The controller then provisions the device, disconnect the device from the provisioning network and connects it to the production network.