Prevent corporate users from accessing guest network?

jbachert · ‎09-19-2007

We have two SSIDs - one for the corporate network and one for the guest network.

The corporate network uses PEAP for authentication and the Guest is open (separate vlans, etc).

I need a way to keep the corporate users off of the guest network (so they can't avoid web filtering, etc.)

Is there a way to do this via MAC exclusions or something?

Thanks,

John

lee.messenger · ‎09-20-2007

Hi John,

would be very interested in an answer to this also.

Lee

scottwilliamson · ‎09-20-2007

Hi John,

My manager asked me this question and I told him that the corporate users wouldn't be able to get past the web authentication as they wouldn't know any guest access account details. However, I'd also welcome a more informed answer as I feel there may be flaws in this idea.

Regards,

Scott

jbachert · ‎09-20-2007

We don't require any account information for the guest network - it is wide open - so there is nothing to prevent a corporate user from logging on.

andrew.brazier · ‎09-21-2007

We solved this problem by using a Windows GP to push out incorrect settings for the guest wireless SSID so that even if corporate users tried to connect they were unable to. Eg; if the guest VLAN uses WPA security we pushed out settings for it's SSID that specified WEP. Unfortunately this only works if you're using the Windows wireless configuration tool on your clients.

john.pimlott · ‎09-21-2007

I use the web authenication and dont give them the user name and password. Our venders get a unique account set for certain number of days, then it goes dead.

MIKE GLASS · ‎09-21-2007

Hi John,

What I found was when using WEB auth on a guest WLAN the controller with automatically use your AAA server if a local guest account is not found. That is if you have AAA servers setup on your WLC. I had to block my corporate users access to my Guest WLAN through my AAA server. Cisco TAC did confirm this is how the WLC will operate.

Hope this helps!