Disallow corporate machines on guest network

Unanswered Question
Jan 29th, 2010
User Badges:


I have an issue where students are trying to connect to the guest network with the schools student laptops, when they should not be.  What happens is, Windows XP will then put the GUEST SSID on the top of the list, and after a reboot the laptop will be trying to use the Guest Network to connect.  Then the login fail's, etc....

Is there a way with the WLC that I can deny those machines from even connecting to the GUEST Network?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancampb Fri, 01/29/2010 - 09:50
User Badges:
  • Cisco Employee,

Assuming you are using webauth for your guest WLAN there is not a way to stop the clients from associating.  On a webauth WLAN the client is associated and has an IP before authentication occurs.  The controller is just blocking all the client's traffic until authenticated.

What you can do is stop the student users from being able to send/receive traffic if they are associated to the guest WLAN.  To do this you will need to have both the guest and webauth WLANs authenticating against a Radius server.  Basically setup a two line ACL on the controller that denies traffic if the source address is from the guest subnet and allows the student subnet traffic.  Then have Radius assign this ACL to all of the students.  Basically they would be able to associate/authenticate to the guest WLAN but the controller would then block all of their traffic because of the ACL.

tcording Fri, 01/29/2010 - 21:30
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hello Dan

There are two things you could do to stop this


Depending on the OS and wireless drivers/software, there is an option to specify which wireless network that the client device (laptop) can connect to.

In Vista and Windows 7, under the Wireless Network Properties tab there is an option “Connect automatically when this network is in range” if you un-tick this option the user has to manually make the connection. XP has a similar thing

Also, through group policy you should be able to lock the wireless down to one network.


If you disable broadcasting the guest network, the network will not automatically appear in the wireless list therefore the client cannot automatically connect to it, your guest wireless network will appear as un-named network in the wireless list and if you try and connect to it you will be prompted to enter the SSID for the network.

This will only add a very small configuration task to your guest users as they will need to configure the guest details on the laptop.

Additionally this can minimise your neighbouring clients connecting to your wireless.



This Discussion



Trending Topics - Security & Network