Guest access control

Unanswered Question
Jul 28th, 2008
User Badges:

Hy there,


I've set up a gest SSID using WLC 4400. Everything works as expected, but my costumer requested to block access to this SSID to corporate laptops.

I guess it could only be done by MAC Address filtering, but this is not a very good solution because:

- WLC works with a permit MAC policy (can one create a deny MAC policy so I can list and deny all the corporate MACs under the Guest SSID?);

- If I apply a MAC list to the Guest SSID the only the allowed MAC will be able to see the Web Authentication page (that has been set up with instructions to call our Service Desk for the creation of a valid account).


Are there any other solutions? I also thought that maybe if there is an Active Directory rule to block an SSID, but I haven't checked it out yet. I guess this should only work if every corporate computer uses the Windows Wireless Services but I'm not sure.


Any other ideas?


Regards,


Tiago Molinos

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Scott Fella Fri, 08/01/2008 - 05:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

How are your guest accessing the guest network? Is it just open and that is why internal users can just add the ssid and hop on the guest network? You can always use GPO to define the wireless profiles on a domain computer.

tiago.molinos Fri, 08/01/2008 - 05:38
User Badges:

Hy!


Guests access the network via Web authentication. In my point of view with use of time limited guest accounts its fairly secured, but the costumer just asked for this feature.

I'll try to propose AD Group Policies to them.


Thanks,


Tiago Molinos

Scott Fella Fri, 08/01/2008 - 05:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You don't want to create guest users on AD. Keep the accounst on the WLC. What you can do is create dummy radius servers and add that to the wlan ssid list. The WLC checks the local db then the radius servers and that is why internal users can use their ad credentials to access the guest. So you will need to add 3 dummy radius servers and add all three to the radius list on the wlan. It is a workaround, but that is they only way so far you can limit the webauth to guest users.

tiago.molinos Tue, 08/05/2008 - 00:43
User Badges:

Hi!


I think this good solution will only work with Windows Vista clients right? If so it's not a good one for me as almost 90% of clients are XP based...


Regards,


Tiago Molinos

olivier.nicolas... Tue, 08/05/2008 - 00:54
User Badges:

The policy can be applied to XP clients but the AD must be running on Windows 2003

tiago.molinos Tue, 08/05/2008 - 01:14
User Badges:

That's great news! Do you have a link for a guide on how to get this to work?

tiago.molinos Wed, 09/17/2008 - 02:17
User Badges:

I've been looking everywhere to find a way to make this work in Windows XP, but I can't seem to find anything. Anyway the customer still has lots of wireless clients using Win2K... So this is not the solution... Any sugestions? I've read something in respect to NAC and a client for improving security that as to be installed in every laptop that could work... Any experience with this type of solution?

Actions

This Discussion

 

 

Trending Topics - Security & Network