×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

connect wireless device only to one SSID on WLC

Unanswered Question
Oct 1st, 2013
User Badges:

hi to all!

I faced with a task to make wireless devices connect only to one SSID among a few, created on a WLC 5508.

Well, I want all corporate devices connect only to corporate SSID, all guest devices connect only to guest SSID.

The second task is simple - make mac-filtering for a corporate SSID, but how to prevent known corporate mac-addresses from association to a guest SSID if a key is well-known and SSID is broadcasted. I have found an oportunity to add mac-addresses to Disabled Clients on WLC, but it seems that these devices will not be able to connect none of the SSIDs.


Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Tue, 10/01/2013 - 05:05
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I have found an oportunity to add mac-addresses to Disabled Clients on WLC, but it seems that these devices will not be able to connect none of the SSIDs.

You can enable Network Policy System (NPS) and put the corporate clients' MAC address here.  NPS will detect the MAC address and take appropriate actions.


You can even specify the MAC address and tie it to a DHCP server.  You can then assign a 169.X.X.X IP address.

18091988n Tue, 10/01/2013 - 07:43
User Badges:

You can even specify the MAC address and tie it to a DHCP server.  You can then assign a 169.X.X.X IP address.

what a interesting solution! but when I try to do that - I get the following response:

The specified DHCP client is not a reserved client.

well, it seems that it's necessary to give ip-address from a specified range.


what about NPS, would like to find any other solucion,more simple. Our Guest SSID is terminated on ASA, perhaps it can do something like mac-filtering..I'm going to read about it

Leo Laohoo Tue, 10/01/2013 - 14:32
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

The specified DHCP client is not a reserved client.

well, it seems that it's necessary to give ip-address from a specified range.

Hmmmmmm ... How about this ...


Create a subnet that is out of your network, say 172.30.0.0/24 and you create a NULL route.  Anyone with this IP address gets blackh0led.


So you assign each DHCP client you have in your corporate to a specific IP address of your null route address.


Hmmmmm ... This is a very labor-intensive exercise.  Besides, it ain't foolproof because you have to be on your toes when your staff goes BYOD.


Can you describe to us your wireless network?


I mean you can assign only guest SSID in the guest area.  I wouldn't recommend assigning guest SSID in the corporate area.  Furthermore, I wouldn't recommend assigning corporate SSID in the guest area either. 

18091988n Wed, 10/02/2013 - 00:48
User Badges:

well, our wireless network is built on WLC and LAPs, allocated around the building. on WLC we have 2 segments - corporate and guest --> SSID_corporate and SSID_guest that are broadcasted by all the access-points. For some reasons we don't want to permit wireless corporate devices connect to a guest segment, and now I'm thinking about how it can be done. I know all the wlan mac-addresses of the corporate devices thanks to mac-filtering on a SSID_corporate and thats why decided that it is possible somehow to use this information.

tony.sangha Wed, 10/02/2013 - 04:39
User Badges:

Hi Natalia,


How are you coporate and guest users authenticated? Are they both using a Radius server for authentication or something different, are you able to provide some insight please.


In a general terms, you can easily filter coporate clients from only connecting to the coporate ssid without the need for placing restricitions on mac addresses etc, it all depends on how each user is authenticated to each SSID.


Cheers,

Tony

Actions

This Discussion

 

 

Trending Topics - Security & Network