connect wireless device only to one SSID on WLC

18091988n · ‎10-01-2013

hi to all!

I faced with a task to make wireless devices connect only to one SSID among a few, created on a WLC 5508.

Well, I want all corporate devices connect only to corporate SSID, all guest devices connect only to guest SSID.

The second task is simple - make mac-filtering for a corporate SSID, but how to prevent known corporate mac-addresses from association to a guest SSID if a key is well-known and SSID is broadcasted. I have found an oportunity to add mac-addresses to Disabled Clients on WLC, but it seems that these devices will not be able to connect none of the SSIDs.

Any ideas?

Leo Laohoo · ‎10-01-2013

I have found an oportunity to add mac-addresses to Disabled Clients on WLC, but it seems that these devices will not be able to connect none of the SSIDs.

You can enable Network Policy System (NPS) and put the corporate clients' MAC address here. NPS will detect the MAC address and take appropriate actions.

You can even specify the MAC address and tie it to a DHCP server. You can then assign a 169.X.X.X IP address.

18091988n · ‎10-01-2013

You can even specify the MAC address and tie it to a DHCP server. You can then assign a 169.X.X.X IP address.

what a interesting solution! but when I try to do that - I get the following response:

The specified DHCP client is not a reserved client.

well, it seems that it's necessary to give ip-address from a specified range.

what about NPS, would like to find any other solucion,more simple. Our Guest SSID is terminated on ASA, perhaps it can do something like mac-filtering..I'm going to read about it

Leo Laohoo · ‎10-01-2013

The specified DHCP client is not a reserved client.

well, it seems that it's necessary to give ip-address from a specified range.

Hmmmmmm ... How about this ...

Create a subnet that is out of your network, say 172.30.0.0/24 and you create a NULL route. Anyone with this IP address gets blackh0led.

So you assign each DHCP client you have in your corporate to a specific IP address of your null route address.

Hmmmmm ... This is a very labor-intensive exercise. Besides, it ain't foolproof because you have to be on your toes when your staff goes BYOD.

Can you describe to us your wireless network?

I mean you can assign only guest SSID in the guest area. I wouldn't recommend assigning guest SSID in the corporate area. Furthermore, I wouldn't recommend assigning corporate SSID in the guest area either.

18091988n · ‎10-02-2013

well, our wireless network is built on WLC and LAPs, allocated around the building. on WLC we have 2 segments - corporate and guest --> SSID_corporate and SSID_guest that are broadcasted by all the access-points. For some reasons we don't want to permit wireless corporate devices connect to a guest segment, and now I'm thinking about how it can be done. I know all the wlan mac-addresses of the corporate devices thanks to mac-filtering on a SSID_corporate and thats why decided that it is possible somehow to use this information.

tony.sangha · ‎10-02-2013

Hi Natalia,

How are you coporate and guest users authenticated? Are they both using a Radius server for authentication or something different, are you able to provide some insight please.

In a general terms, you can easily filter coporate clients from only connecting to the coporate ssid without the need for placing restricitions on mac addresses etc, it all depends on how each user is authenticated to each SSID.

Cheers,

Tony

rabedi · ‎10-02-2013

If you have a radius server (ACS), then you can configure it as mentioned on below link:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

18091988n · ‎10-11-2013

thanks for the answers, but we don't have a Radius Server. The solucion that we were advised and that we will use is based on Group Policies. Seems that it works

here is the link for if anyone will face the same problem:

http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-blackwhite-list-wireless-networks-in-vista-windows-7/