I have this problem.
In past I've configured WLAN with PSK, then another WLAN with 802.1x authentication. Now I need to restrict PSK WLAN for Nokia only (I've spent a lot of time, but no chance to start PEAP (MSCHAP v2) working with Nokia, but it's another story and I blame Symbian).
But these days I would like to force people to stop using the PSK WLAN and let only Nokia people allowed.
I don't know how to limit access to this WLAN.
I was thinking about some Vendor filter, but don't know how to implement.
MAC address filter is out of discussion, because I don't want to put all the possible MAC addresses, and I didn't find how put a MAC address range in WLC (single MAC address filter I use).
So, any help will be appreciated.
Thank you very much
Local EAP on the WLC is an option.. MAC address range feature is not der on the WLC yet, byt we have raised a Enhancement request for the same, if u need this feature very badly , thne please contact your Accounts tean and they will help you out...
here is the bug ID..
Here is the lin to configure MAC filtrering
and here is the link to do local EAP on the WLC..
Go for WEB AUTH as well!!
Lemme knos if this answered ur question!!
From a WLC perspective you can only limit access per credentials (dot1x/psk) or mac address. Nothing else. How is it supposed to figure out that it's a nokia connecting ?
What you need can be met by the NAC Profiler or the upcoming ISE (which does it even more simply). The Profiler engine will detect that the device is a nokia (from the mac address range, from the DHCP options it sets when it asks for an ip address, etc ...) and will dynamically add the mac address in the database.
The WLC then does a simply mac address authetnication via radius against teh database dynamically updated by profiler.
@Surendra : EAP didn't work on Nokia, so I won't to spend any more minute with this one.
@ Nicolas : this one sounds pretty (ISE). Can you tell me more? Becaus NAC I'm not planning.
Basically it's "all in one" box.
Think of it like ACS 5.x, but having the profiler engine integrated. So the profiling engine populates the ACS internal hosts database with the mac addresses. Direct and transparent integration of the features ...
To continue the marketing talk, it also integrates the Guest user portal and creation feature to ACS, so it's really one radius server for everything.
Last but not least, the ACS in ISE can also do the posture validation like NAC. So all considered, it's not an ACS anymore that's why it's called ISE :-) But basically it's a radius server that is configured in the same fashion as ACS 5 and integrates the features of NAC, Nac Guest server, Profiler
We are looking into a WLC-NAC Profiler integration/solution in order to identify and separate the handheld devices owned by our organization's employees and their laptops.
Can you please provide us with some useful links for further study?
But this is what we already have in place, wlc,nac,nac profiler. So it's an on-way path for us :-(
Would you recommend another way of implementing this?
If you have it already then fine for you :-)
What are you looking for then ?
The simplest is to configure the Collector as secondary DHCP server for the dynamic interfae assigned to the WLAN.