WLAN limited access by Vendor

Unanswered Question
Apr 19th, 2011

Hi all,

I have this problem.

In past I've configured WLAN with PSK, then another WLAN with 802.1x authentication. Now I need to restrict PSK WLAN for Nokia only (I've spent a lot of time, but no chance to start PEAP (MSCHAP v2) working with Nokia, but it's another story and I blame Symbian).

But these days I would like to force people to stop using the PSK WLAN and let only Nokia people allowed.

I don't know how to limit access to this WLAN.

I was thinking about some Vendor filter, but don't know how to implement.

MAC address filter is out of discussion, because I don't want to put all the possible MAC addresses, and I didn't find how put a MAC address range in WLC (single MAC address filter I use).

So, any help will be appreciated.

Thank you very much

Pavel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
surbg Tue, 04/19/2011 - 01:15

Local EAP on the WLC is an option.. MAC address range feature is not der on the WLC yet, byt we have raised a Enhancement request for the same, if u need this feature very badly , thne please contact your Accounts tean and they will help you out...

here is the bug ID..

CSCti78117

Here is the lin to configure MAC filtrering

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml#c8

and here is the link to do local EAP on the WLC..

https://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml

Go for WEB AUTH as well!!

https://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

Lemme knos if this answered ur question!!

Regards

Surendra

Nicolas Darchis Tue, 04/19/2011 - 01:22

From a WLC perspective you can only limit access per credentials (dot1x/psk) or mac address. Nothing else. How is it supposed to figure out that it's a nokia connecting ?

What you need can be met by the NAC Profiler or the upcoming ISE (which does it even more simply). The Profiler engine will detect that the device is a nokia (from the mac address range, from the DHCP options it sets when it asks for an ip address, etc ...) and will dynamically add the mac address in the database.

The WLC then does a simply mac address authetnication via radius against teh database dynamically updated by profiler.

Tadaaaa !

ppokorny25 Tue, 04/19/2011 - 01:42

Hi,

@Surendra : EAP didn't work on Nokia, so I won't to spend any more minute with this one.

@ Nicolas : this one sounds pretty (ISE). Can you tell me more? Becaus NAC I'm not planning.

Thanks

Pavel

Nicolas Darchis Tue, 04/19/2011 - 01:46

Basically it's "all in one" box.

Think of it like ACS 5.x, but having the profiler engine integrated. So the profiling engine populates the ACS internal hosts database with the mac addresses. Direct and transparent integration of the features ...

To continue the marketing talk, it also integrates the Guest user portal and creation feature to ACS, so it's really one radius server for everything.

Last but not least, the ACS in ISE can also do the posture validation like NAC. So all considered, it's not an ACS anymore that's why it's called ISE :-) But basically it's a radius server that is configured in the same fashion as ACS 5 and integrates the features of NAC, Nac Guest server, Profiler

panayiotiscy Thu, 04/05/2012 - 04:37

Hello Nicolas,

We are looking into a WLC-NAC Profiler integration/solution in order to identify and separate the handheld devices owned by our organization's employees and their laptops.

Can you please provide us with some useful links for further study?

Thank you

panayiotiscy Thu, 04/05/2012 - 04:52

Hey Nicolas,

But this is what we already have in place, wlc,nac,nac profiler. So it's an on-way path for us :-(

Would you recommend another way of implementing this?

Nicolas Darchis Thu, 04/05/2012 - 05:02

If you have it already then fine for you :-)

What are you looking for then ?

The simplest is to configure the Collector as secondary DHCP server for the dynamic interfae assigned to the WLAN.

panayiotiscy Thu, 04/05/2012 - 23:17

Hey Nicolas,

I will give it a try and come back with the results.

Thank you

surbg Tue, 04/19/2011 - 03:55

802.1X works on My Nokia E72..

Regards

Surendra

Actions

Login or Register to take actions

This Discussion

Posted April 19, 2011 at 12:47 AM
Stats:
Replies:10 Avg. Rating:5
Views:844 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard