MAC-Adress Filtering vs. Access - Lists

schlatermund · ‎08-15-2008

We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.

I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...

With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?

Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?

Anyone an other good Idea how to solve this issue?

Scott Fella · ‎08-15-2008

Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.

-Scott
*** Please rate helpful posts ***

schlatermund · ‎08-18-2008

But to use the MAC-adress filter isn't it only a positve list, so everybody inside the list ist allowed access?

I would need it to use the MAC filter negative, so everybody ist the list is denied the access.

The solution by a webauth page is in use in the moment. But our users are not that sensible with password information. That is the reason why i am looking for a strikt technical solution

Scott Fella · ‎08-18-2008

Correct it is a positive list and there is not way you can have a negative list. The only way is to push a GPO to configure the wireless profile.

-Scott
*** Please rate helpful posts ***