Keeping Internal Users off Guest Wireless

Unanswered Question
Mar 23rd, 2010

Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones.

What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
talmadari Wed, 03/24/2010 - 01:26


As i can see you can do several things:

1. use WPA-PSK for the guest network and by that provide simple password (which will be unknow to your internal users) for your guests.

2. disable the Fast SSID change feature which will block your internal users from changing from one network to another.

hope this helps.

Scott Fella Wed, 03/24/2010 - 06:13

Using webauth with a username and password is your best bet.  You can just create one guest credential and change that when ever you wish.  Now to not allow the internal users to access the guest webauth you will have to make sure they don't know the guest credential and you will have to create 3 bogus radius servers and in the WLAN SSID AAA, put those bogus radius server there.  This way the WLC will first look at the internal db, then the 3 radius servers you set in the WLAN SSID and either pass of fail the guest user.

David Cebula Wed, 03/24/2010 - 07:13

A simple password or username/password for the guest is fine, but what I am looking is something where I can keep company owned laptops off the guest wireless even if the employee knows the password for the guest. We do not want them bypassing our web proxy on the company laptops by putting them on the guest network.

Scott Fella Wed, 03/24/2010 - 08:07

That is something that your security policy for your company should address.  You really can't prevent it 100%... because there are always ways aroud it.  How do you prevent then from usingthe guest wlan for there PDA's, iphone, ithouch, ipad and maybe their personal laptop that might have company info also.  Unless you create a username password for every user, then you might be able to prevent internal users to get access, but that doesn't prevent a person to create a username and password for an enployee.  The hard part is that guest access should be open... easy for a guest to access and prevents your helpdesk from having to go to each device and configure the settings.  You can do it with mac filters, but that is a lot of work and that isn't 100%.

mscherting Wed, 03/24/2010 - 11:24

We've been considering addressing the same problem, possibly with NAC Guest server. Is this machine registerd in AD?  If yes, deny access.

David Cebula Wed, 03/24/2010 - 11:44

I'm closer. I have aaa override working for vlan assignment via RADIUS. On the RADIUS server, I have two access policies. The first is my normal authentication (EAP-TLS) for internal wireless clients where I included the condition member of Windows group Domain Computers. The RADIUS reply for the first policy assigns them to the "internal" vlan. The second RADIUS policy is for the visitor account (AD account with username/password) and the RADIUS reply from that assigns them to the "guest" vlan. The guest vlan exits my WLC on a seperate port to the guess firewall/cable modem, while the internal vlan exits to my internal lan.

That way even if internal user connects to the Guest SSID with a company laptop they still end on the internal lan.

Right now I have the Internal SSID authenticating off one group of RADIUS servers, and the Guest SSID authenticating off another set. My next step is to see if it can be done with only one SSID and one group of RADIUS servers, since assigning the vlan is what really matters.

Are there any security considerations with using a single SSID?  I plan on turning on Peer to Peer Blocking if I do that.

Frank Wagner Thu, 03/25/2010 - 01:38


when you have a microsoft active directory isn't it the easiest way to create a wlan domain policy.

In this policy you role out the wlan settings and restrict the user settings so that they can't configure the wlan card or settings.

Greetings, Frank

Scott Fella Thu, 03/25/2010 - 04:46


Yes you can lock down the wireless properties via GPO, but the down fall is that users will not be able to use wireless anywhere since they would have to configure the hotspot or home profile.

David Cebula Thu, 03/25/2010 - 15:24

After further testing I did confirm that it could be done with one SSID and one group of RADIUS servers. However, when I implement I will use two SSID's because I will limit guest to the g band and offer my internal at a and g. Using two will also enable greater flexibility for future changes.

Jason McDonald Wed, 03/23/2011 - 12:40

When we implemented our internal wireless and our guest wireless, we added the guest wireless to our GPO with a bad key and denied users the ability to change it. Domain laptops were able to see the Guest Wireless, but if they tried to connect, it would use the bad key and fail.

David Cebula Mon, 03/28/2011 - 10:49

Excellent approach. How did you add the bad key to the GPO?

I can add the guest SSID easily enough, but as far as I know Windows does not let you enter any pre-shared keys for wirless settings in GPO's. This is somewhat understandable, since having the PSK available on SysVol for anyone to potentially read, is a security risk.

Jason McDonald Mon, 03/28/2011 - 10:58

I didn't make the change to the GPO, that was done by a guy on another team. After mulling it over, we came up with that idea. I think you can push a preshared key one type or another. Another option might be to push an incorrect authentication or encryption parameter.

David Cebula Mon, 03/28/2011 - 14:47

For Vista/Win7 clients there is a deny permission available for SSID's in the GPO, but not for XP clients.

If you had XP clients, I'd really like to know what your group did. I am experimenting with just setting the GPO to use TKIP when the actual SSID only allows AES, that seems to work but it will need additional testing.


This Discussion



Trending Topics - Security & Network