Restricting WLAN Access for Mobile Devices

Unanswered Question

I'm wondering if anyone has suggestions for ways of preventing mobile devices from connecting to the WLAN.  We are moving to a mainly Wireless LAN Controller-based infrastructure, so I'm focusing on possibilities with the WCS/WLC (and not worrying about IOS APs).

Our policy is to keep mobile devices off our WLAN, because we can't ensure their security (no standard patching or anti-virus solution for these devices).  But users are able to config their mobile devices' wireless profiles to allow them to authenticate.  So we can release all the policies we want.... policies don't keep them from connecting.

Because on the security concerns and the fact that they chew up IP addresses, I'm trying to figure out what we could do to keep them off our WLAN!  Any ideas are welcome!

Note:  our company is too big to entertain any MAC address filtering based on allowing known laptop MACs or blocking known mobile device MACs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ericgarnel Thu, 03/04/2010 - 07:19
User Badges:
  • Gold, 750 points or more

That is not an easy task!   NAC comes to mind first....

here is a stop-gap solution/idea:

Turn off 2.4 GHz alltogether & use 802.11a capable laptops.  It will stop all currently available mobile devices from connecting.

Granted, it is a bit harsh and impractical, but initially effective - until mobile devices speak 802.11a (my money is on Nokia being 1st).

also, using a splash page format ( along with radius authentication ) that is not mobile browser friendly is another stop-gap solution!

Peter Nugent Thu, 03/04/2010 - 12:20
User Badges:
  • Cisco Employee,

Would machine authentication help in this scenario?

Scott Fella Thu, 03/04/2010 - 18:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Machine authentication will prevent non-domain devices to authenticate successfully to the WLAN.  If you don't broadcast the SSID an use a secure encryption/authentication method, then the deivce must successfully authenticate in order to obtain an ip address.  If you use a L3 authentication method like Web-Auth or Pass-through, then the device will obtain an ip address in order to get the splash page.


This Discussion



Trending Topics - Security & Network